Proof-of-concept exploit code has been released by Akamai researchers for a critical Windows CryptoAPI vulnerability discovered by the UK’s NSA and NCSC allowing MD5 crash certificate spoofing.

Tracked as CVE-2022-34689, this security flaw was patched with security updates released in August 2022, but Microsoft only made it public in October when the advisory was released. for the first time.

“An attacker could manipulate an existing public x.509 certificate to impersonate it and perform actions such as authentication or code signing as the targeted certificate,” Microsoft said. Explain.

Unauthenticated attackers can exploit this bug (marked by Redmond as critical) in low complexity attacks.

Today, security researchers from cloud security company Akamai published a proof of concept (PoC) operate and shared an OSQuery to help defenders detect versions of the CryptoAPI library vulnerable to attack.

“We have been looking for apps in the wild that use CryptoAPI in a way that is vulnerable to this spoofing attack. So far we have found that older versions of Chrome (v48 and earlier) and apps based on Chromium can be exploited”, the researchers said.

“We believe there are more vulnerable targets in the wild and our research is still ongoing. We have found that less than 1% of visible devices in data centers are patched, leaving others unprotected against the attack. exploitation of this vulnerability.”

By exploiting this vulnerability, attackers can affect trust validation for HTTPS connections and signed executable code, files, or emails.

For example, hackers could take advantage of this vulnerability to sign malicious executables with a forged code-signing certificate, making the file appear to come from a trusted source.

As a result, targets would have no indication that the file is actually malicious, since the digital signature appears to be from a reputable and trustworthy provider.

If an attack using a CVE-2022-34689 exploit is successful, it could also provide attackers with the ability to perform man-in-the-middle attacks and decrypt confidential information about user logins to the software. affected, such as web browsers that use Windows’ CryptoAPI cryptography library.

“There is still a lot of code that uses this API and could be exposed to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7. We recommend that you patch your Windows servers and endpoints with the latest security patch released by Microsoft,” Akamai said.

“Another option for developers to mitigate this vulnerability is to use other WinAPIs to verify the validity of a certificate before using it, such as CertVerifyCertificateChainPolicy. Keep in mind that applications that do not use the caching of the final certificate are not vulnerable.”

The NSA reported another Windows CryptoAPI impersonation flaw (CVE-2020-0601) two years ago, with a much wider scope and affecting more potentially vulnerable targets.

PoC exploit code for the vulnerability, now known as CurveBallhas been released within 24 hours by the Swiss cybersecurity team Kudelski Security and security researcher Oliver Lyak.

At the time, CISA ordered federal agencies to fix all affected terminals within ten business days in its second Emergency directive.