Researchers from Akamai have released a proof-of-concept for a vulnerability affecting a Microsoft tool that allows the Windows’ application programming interface to deal with cryptography.
The vulnerability, CVE-2022-34689, was discovered by the United Kingdom’s National Cyber Security Centre and the National Security Agency. It affects a tool called CryptoAPI and allows an attacker to masquerade as a legitimate entity. The bug, which carries a vulnerability score of 7.5 out of a possible 10, was patched in August 2022 but only disclosed by Microsoft in October.
Microsoft did not respond to requests for comment about the time discrepancy.
Akamai researchers explained that CryptoAPI is the “de facto API in Windows for handling anything related to cryptography.”
“In particular, it handles certificates — from reading and parsing them to validating them against verified certificate authorities (CAs). Browsers also use CryptoAPI for TLS [Transport Layer Security] certificate validation — a process that results in the lock icon everyone is taught to check,” the researchers explained.
“As one can imagine, a vulnerability in the verification process of certificates is very lucrative for attackers, as it allows them to mask their identity and bypass critical security protections.”
Akamai researcher Yoni Rozenshein said that when the patch was released the bug was missing from the release notes.
When it was finally announced retroactively two months later, there was no information available that described the vulnerability and how it is exploited.
“Despite this being months after the patch, Akamai researchers are the first to fully analyze and provide a PoC for this interesting and complex bug,” Rozenshein said.
“In order to exploit this vulnerability two things need to be true: The machine needs to be missing the Windows patch that was released in August 2022 and the application must use CryptoAPI for certificate verification, and enable a CryptoAPI feature called ‘end certificate caching.’ This was intended as a performance-boosting feature, but a bug in its implementation causes it to be vulnerable.”
Remember the vulnerability in CryptoAPI which could result in an attacker masquerading as a legitimate entity?— Akamai Security Research (@akamai_research) January 25, 2023
Akamai researchers analyzed it and have found a way to exploit it.
See the write-up here:https://t.co/O649fnWKjc pic.twitter.com/2VAFMgodWV
In a blog post, Akamai researchers said the bug requires taking “a legitimate certificate, modifying it, and serving the modified version to the victim.” From there, a new certificate is created allowing an attacker to spoof the identity of the original certificate’s subject.
Akamai said it has found that old versions of Chrome – v48 and earlier – and Chromium-based applications can be exploited using CVE-2022-34689. But the researchers believe there are other vulnerable targets in the wild.
“We found that fewer than 1% of visible devices in data centers are patched, rendering the rest unprotected from exploitation of this vulnerability,” Akamai researchers said.
The vulnerability is particularly concerning, they added, because of how important certificates are to identity verification online, making it a potentially lucrative bug for attacks.
While the bug has a limited scope, Akamai said there may still be “a lot of code that uses this API and might be exposed to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7.”