Threat Watch

Exploit Released for Critical Windows CryptoAPI Spoofing Bug

Researchers at Akamai have released proof-of-concept exploit code for a critical Windows CryptoAPI vulnerability that allows for certificate spoofing. This vulnerability, tracked as CVE-2022-34689, would allow an attacker to manipulate an existing x.509 certificate to spoof their identity and perform any number of actions as the targeted certificate.

Successful exploitation of the vulnerability can impact the validation of trust for HTTPS connections as well as signed executable code, files, or emails. Threat actors could take advantage of this by signing malicious executables with a counterfeit code-signing certificate, making it appear to come from a trusted source. Likewise, exploitation of the vulnerability could give attackers the ability to perform man-in-the-middle attacks and decrypt confidential information being passed to and from the affected software.

Microsoft released security updates that fix this vulnerability in August of last year, before the vulnerability was made public in October. Based on further research by Akamai, however, it is believed that the number of vulnerable targets exposed to the Internet is still extremely high.

ANALYST NOTES

It is highly recommended to install security patches on all Windows systems in an environment, particularly any that are exposed to the Internet. As vulnerabilities are discovered, maintaining a consistent patching cycle for devices can help reduce attack surface and prevent an environment from being breached. Threat actors have been known to still use fixed vulnerabilities that are months old, due to inconsistent patching among many systems around the world. It is also recommended to run Akamai’s OSQuery query, or equivalent tool, across all systems to determine which may be impacted by the vulnerability. In cases where a tool like OSQuery is not available, checking the version number of the crypt32.dll file can help determine if a device is vulnerable or not. Finally, for any developers that create applications using this Windows API, it is recommended to use other Windows-based APIs to double-check the validity of a certificate before using it. One potential API to use is CertVerifyCertificateChainPolicy, which is a Windows API that checks a certificate chain to verify its validity. This additional step can help prevent an application from being vulnerable to this vulnerability, as well as potentially other certificate spoofing vulnerabilities.

https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-windows-cryptoapi-spoofing-bug/

https://www.akamai.com/blog/security-research/exploiting-critical-spoofing-vulnerability-microsoft-cryptoapi