Exploit released for critical Windows CryptoAPI spoofing bug

Proof of concept exploit code has been released by Akamai researchers for a critical Windows CryptoAPI vulnerability discovered by the NSA and U.K.’s NCSC allowing MD5-collision certificate spoofing.

Tracked as CVE-2022-34689, this security flaw was addressed with security updates released in August 2022, but Microsoft only made this public in October, when the advisory was first published.

“An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate,” Microsoft explains.

Unauthenticated attackers can exploit this bug (tagged by Redmond as critical severity) in low-complexity attacks.

Today, security researchers with the Akamai cloud security firm have published a proof of concept (PoC) exploit and shared an OSQuery to help defenders detect CryptoAPI library versions vulnerable to attacks.

“We have searched for applications in the wild that use CryptoAPI in a way that is vulnerable to this spoofing attack. So far, we found that old versions of Chrome (v48 and earlier) and Chromium-based applications can be exploited,” the researchers said.

“We believe there are more vulnerable targets in the wild and our research is still ongoing. We found that fewer than 1% of visible devices in data centers are patched, rendering the rest unprotected from exploitation of this vulnerability.”

By exploiting this vulnerability, attackers can impact the validation of trust for HTTPS connections and signed executable code, files, or emails.

For instance, threat actors could take advantage of this vulnerability to sign malicious executables with a counterfeit code-signing certificate, giving the appearance that the file is from a trusted source.

As a result, the targets would have no indication that the file is actually malicious, given that the digital signature would seem to come from a reputable and trustworthy provider.

Should an attack using a CVE-2022-34689 exploit be successful, it could also provide attackers with the ability to perform man-in-the-middle attacks and decrypt confidential information on user connections to the affected software, such as web browsers that use Windows’ CryptoAPI cryptography library.

“There is still a lot of code that uses this API and might be exposed to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7. We advise you to patch your Windows servers and endpoints with the latest security patch released by Microsoft,” Akamai said.

“For developers, another option to mitigate this vulnerability is to use other WinAPIs to double-check the validity of a certificate before using it, such as CertVerifyCertificateChainPolicy. Keep in mind that applications that do not use end-certificate caching are not vulnerable.”

The NSA reported another Windows CryptoAPI spoofing flaw (CVE-2020-0601) two years ago, with a much broader scope and affecting more potentially vulnerable targets.

PoC exploit code for the vulnerability, now known as CurveBall, was released within 24 hours by Swiss cybersecurity outfit Kudelski Security and security researcher Oliver Lyak.

At the time, CISA ordered federal agencies to patch all affected endpoints within ten business days in its second-ever Emergency Directive.