Windows Cryptography API Gap Still Affects 99% of Users

Windows Cryptography API Gap Still Affects 99% of Users

A critical vulnerability in a Windows encryption API still affects 99% of devices used in internet-facing data centers. The flaw corrected in August last year and publicly revealed by Microsoft in October was the reason for warnings from the US government, through the National Security Agency (NSA), and still remains a danger that can lead to attacks from the use of fake certificates manipulated by criminals.

  • Four urgent measures to increase the security of your company
  • Criminals are inspired by e-commerce and use the dark web to become professional

The secret lies in colliding algorithms in MD5 format. The bug that gives rise to the exploit would be present in Microsoft’s CryptoAPI since 2009 and would not do data collision checks; attackers could then serve a real certificate to target devices, be recognized by them, and then present exploits using a modified version, impersonating the original and gaining access to systems for malware deployment.

At the time, Microsoft cited possible attacks using the breach as being of low complexity, with the application of legitimate certificates being able to happen through emails, documents and other types of files. Next, then, would come the malicious executables, with the operating system not being able to identify the collision in the MD5 signature and believing it to be a legitimate solution, from a certified source.

The loophole tracked as CVE-2022-34689 also targets older versions of browsers like Google Chrome and others based on Chromium, but here, the exploit surface is lower due to the higher refresh rate. The same, however, cannot be verified by the Akamai researchers, who indicated that less than 1% of devices visible in data center networks have the correction applied.

The main result of attacks that use openness is the interception of information, as well as breaking the security of encrypted connections with the CryptoAPI. The risk is greater, mainly, for essential services and government organizations, the main focus of the NSA alert issued at the end of last year, after the correction of the problem by Microsoft, arising precisely from a report by the security agency.

While details about ongoing attacks and exploits already performed are not available, the researchers point out that a proof of concept about the exploit was already available less than two days after the public disclosure of the flaw. CVE-2022-34689, as it is tracked, remains a risk against outdated systems, with the indication being the immediate application of updates and corrections that prevent attacks.

This guidance was even issued on an urgent basis by CISA, the US government’s Cybersecurity and Infrastructure Agency. The agency gave 10 days for companies and official organizations in the country to carry out the update, even though the emergency directive did not follow the indication that attacks with espionage purposes or financed by rival nation-states were in progress.

Another alternative, in cases where this is not possible, is the use of other encryption APIs, including options provided by Microsoft itself, as an alternative. In addition, when possible, it is also possible to disable the caching of certificates, so that each application has its legitimacy analyzed independently, which would also make it possible to identify the use of manipulated or falsified resources.

Source: Akamai