Akamai researchers have published a PoC exploit for a critical vulnerability (CVE-2022-34689) in Windows CryptoAPI, which validates public key certificates.
“An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate,” Microsoft said in October 2022, when they announced fixes for vulnerable Windows and Windows Server versions.
The vulnerability was actually patched in August 2022, but its existence only revealed two months later, likely to avoid alerting attackers before the security updates are widely implemented.
“The root cause of the bug is the assumption that the certificate cache index key, which is MD5-based, is collision-free. Since 2009, MD5’s collision resistance is known to be broken,” researchers Tomer Peled and Yoni Rozenshein explained.
“The attack flow is twofold. The first phase requires taking a legitimate certificate, modifying it, and serving the modified version to the victim. The second phase involves creating a new certificate whose MD5 collides with the modified legitimate certificate, and using the new certificate to spoof the identity of the original certificate’s subject.”
But there is some good news: CVE-2022-34689 can’t be as widely exploited as CVE-2020-0601 (also called “CurveBall”), a similar Windows CryptoAPI spoofing vulnerability that has been leveraged by Chinese state-sponsored hackers and was, at one time, among the top 10 most exploited vulnerabilities from 2020.
To exploit CVE-2022-34689, the first certificate, which is generated in a way that facilitates a chosen prefix collision attack and is correctly signed and verified, needs to be cached by the CryptoAPI, so that the second certificate (with the same MD5 thumbprint as the previous one) can be promptly trusted because Microsoft does not re-check cached certificates.
“The [CryptoAPI caching] mechanism is disabled by default. To enable it, the application developer needs to pass certain parameters to CertGetCertificateChain, the Windows API function that eventually leads to the vulnerable code,” the researchers explained.
They found some apps that use the CryptoAPI in such a way – old versions of Chrome (v48 and earlier) and Chromium-based applications – and they believe there are others.
Luckily, there are two prerequisites for a successful exploitation of CVE-2022-34689: the machine must run Windows and not have the patch released by Microsoft, and must run an app that uses the CryptoAPI caching mechanism.
The researchers advise admins to apply the latest security patch released by Microsoft on Windows servers and endpoints, and developers to switch to using other WinAPIs to check the validity of a certificate before using it.
Unsupported but still used Windows versions should get a patch, too, they noted, but I doubt that Microsoft will release them given the current limited exploitation scope.