Proof-of-concept (Poc) code has been released for a now-patched high-severity security flaw in the Windows CryptoAPI that the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) reported to Microsoft last year.
Tracked as CVE-2022-34689 (CVSS score: 7.5), the spoofing vulnerability was addressed by the tech giant as part of Patch Tuesday updates released in August 2022, but was only publicly disclosed two months later on October 11, 2022.
“An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate,” Microsoft said in an advisory released at the time.
The Windows CryptoAPI offers an interface for developers to add cryptographic services such as encryption/decryption of data and authentication using digital certificates to their applications.
Web security company Akamai, which released the PoC, said CVE-2022-34689 is rooted in the fact that the vulnerable piece of code that’s designed to accept an x.509 certificate carried out a check that solely relied on the certificate’s MD5 fingerprint.
MD5, a message-digest algorithm used for hashing, is essentially cryptographically broken as of December 2008 owing to the risk of birthday attacks, a cryptanalytic method used to find collisions in a hash function.
The net effect of this shortcoming is that it opens the door for a bad actor to serve a modified version of a legitimate certificate to a victim app, and then create a new certificate whose MD5 hash collides with the rigged certificate and use it to masquerade as the original entity.
In other words, the flaw could be weaponized by a rogue interloper to stage a mallory-in-the-middle (MitM) attack and redirect users relying on an old version of Google Chrome (version 48 and earlier) to an arbitrary website of the actor’s choosing simply because the susceptible version of the web browser trusts the malicious certificate.
“Certificates play a major role in identity verification online, making this vulnerability lucrative for attackers,” Akamai said.
Although the flaw has a limited scope, the Massachusetts-headquartered firm pointed out “there is still a lot of code that uses this API and might be exposed to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7.”