When it comes to dangerous cryptographic bugs on Windows, CryptoAPI is the gift that keeps on giving. The interface can be used by Win32 programs to manage security and cryptographic practices, like validating certificates or verifying identities. But CryptoAPI can also bring potentially critical security flaws to the aforementioned Windows platform, making identity and certificate spoofing easier. According to Akamai Security analysts, that’s exactly what happened with the vulnerability known as CVE-2022-34689. Disclosed by the US NSA and the UK National Cyber Security Center (NCSC), the “Windows CryptoAPI Spoofing Vulnerability” was patched by Microsoft in August 2022 but was publicly announced only in October 2022. According to Redmond’s security bulletin, CVE-2022-34689 can be exploited to spoof an attacker’s true identity and perform actions “such as authentication or code signing as the targeted certificate.” As explained by Akamai, the gist of the issue is that CryptoAPI makes the assumption that “the certificate cache index key, which is MD5-based, is collision-free.” MD5 has been known for being vulnerable to collision issues – two chunks of data which happen to have the very same MD5 hash – for a long time now, but old software versions using CryptoAPI are still vulnerable to the flaw.
CVE-2022-34689 can be exploited by cyber-criminals to digitally sign malicious executables and make them appear as they were coming from trusted and secure sources, or to create a TLS certificate that appears to belong to another (legit) organization and trick an application (ie a web browser) into trusting said malicious certificate. The bug was classified as “critical” and given a CVSS severity score of 7.5 out of 10, with Microsoft saying that exploitation was “most likely” albeit the bug couldn’t be used for remote code execution. Now Akamai has published proof-of-concept (PoC) code that shows how exploitation works, employing an old version of the Chrome web browser (v48) which uses CryptoAPI to check certificate legitimacy. With a man-in-the-middle attack, Akamai researchers were able to use a malicious certificate to break HTTPS security. Akamai said that, besides Chrome 48, there are many other vulnerable targets “in the wild” which are still using the flawed CryptoAPI feature. The worst thing about CVE-2022-34689, however, is that the overwhelming majority of system administrators and professional users didn’t care to install a patch which has been available for six months. According to the security enterprise, “fewer than 1% of visible devices” in data centers are protected, which means that 99% of Windows-based servers visible to the Internet are vulnerable right now.