Researchers have released proof of concept exploit code for a critical Windows CryptoAPI vulnerability which allows MD5-collision certificate spoofing.
This vulnerability, which is being tracked as CVE-2022-34689 allows an attacker to use a public x.509 certificate that is already in use to conceal their identity and carry out operations like authentication or code signing as the targeted certificate.
Security researchers have published a proof-of-concept exploit and shared an OSQuery to help defenders detect CryptoAPI library versions vulnerable to attacks. Researchers have looked for applications using CryptoAPI that are susceptible to this spoofing attack. They have discovered that older Chrome versions (v48 and earlier) and applications built on the Chromium platform can be exploited.
Their research is still ongoing, but they suspect there are more weak targets in the wild. They discovered that less than 1% of visible devices in data centers have this vulnerability patched, leaving the remainder vulnerable.
How it works
Attackers can compromise the validation of trust for HTTPS connections and signed executable code, files, or emails by taking advantage of this vulnerability.
Threat actors might use this flaw to sign malicious executables with a fake code-signing certificate, making it appear as though the file came from a reputable source.
Given that the digital signature appears to come from a reliable and trustworthy supplier, the targets would therefore be unaware that the file is malicious.
If a CVE-2022-34689 exploit-based attack is successful, it could potentially give attackers access to user connections to the compromised software, including web browsers that use Windows” CryptoAPI encryption library, enabling them to conduct man-in-the-middle attacks and decode sensitive data.
It is advised to patch your Windows servers and endpoints with the latest security patch released by Microsoft. Developers are advised to use other WinAPIs to check the validity of a certificate before using it.
Applications that do not use end-certificate caching are not vulnerable to this attack.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Windows CryptoAPI spoofing bug exploit released.pdf
Gatlan, S. (January 25, 2023). Exploit released for critical Windows CryptoAPI spoofing bug. Retrieved from Bleeping Computer. https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-windows-cryptoapi-spoofing-bug/
Lakshmanan, R. (January 26, 2023). Researchers Release PoC Exploit for Windows CryptoAPI Bug Discovered by NSA. Retrieved from The Hacker News. https://thehackernews.com/2023/01/researchers-release-poc-exploit-for.html