Micropatches For Windows CryptoAPI Spoofing (CVE-2022-34689)

 

August 2022 Windows Updates* brought a fix for CVE-2022-34689, a vulnerability in Windows CryptoAPI that allows an attacker to trick some Windows applications - depending on their use of CryptoAPI certificate caching - into accepting a fraudulent certificate. The vulnerability was reported to Microsoft  by UK NCSC and the NSA, but subsequently Tomer Peled and Yoni Rozenshein of Akamai reverse engineered Microsoft's patch and provided a detailed analysis with a proof-of-concept.

(* While Microsoft published this information in October, they had silently provided the patch two months earlier.)

The vulnerability is actually a cryptographic flaw, whereby broken MD5 hashing algorithm is used for identifying cached certificates. This allows the attacker to trick a Windows application into misidentifying a fraudulent certificate for a valid, cached one, because they both have the same MD5 hash.

It is hard to say which applications are vulnerable; any Windows application using CryptoAPI with certificate caching is a potential candidate, but exploitability may depend on how the application is being used. For instance, Akamai researchers have identified old Chrome versions to be vulnerable, allowing a malicious web site with a fake certificate to impersonate a valid web site.

While still-supported Windows systems have already received the official vendor fix for this vulnerability, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.

Our patches are logically equivalent to Microsoft's patches for this issue.

MODULE_PATH ".\crypt32.dll"
PATCH_ID 1000006
PATCH_FORMAT_VER 2
VULN_ID 1000007
PLATFORM win64

patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x159f9
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT msvcrt!memcmp,crypt32!0x18c14,crypt32!0x15a01,crypt32!0x15a26
    
    ; 0x18c14 -> CCertObject::Release
    ; 0x15a01 -> FindEndObjectByHash block
    ; 0x15a26 -> Nevem še
    
    code_start
    
        mov rsi, rax        ; rax contains the returned certificate structure
                            ; when searching the cache
        test rax, rax       ; check if a certificate was found in the cache
        jz LABEL            ; jump to LABEL if no certificate was found
       
        mov rcx, [rax+58h]  ; get cached cerfiticate context
        mov rdx, [rsp+50h]  ; struct _CERT_CONTEXT *, current certificate
        mov eax, [rcx+10h]  ; get cached certificate length
        cmp eax, [rdx+10h]  ; compare length from cached and current certificate
        jnz LABEL2          ; jump to LABEL2 if lengths are not equal
       
        mov rdx, [rdx+8]    ; first buffer, current certificate context
        mov r8d, eax        ; number of characters to compare
        mov rcx, [rcx+8]    ; second buffer, cached certificate context
        call PIT_memcmp     ; compares characters in two buffers
        test eax, eax       ; memcmp returns 0 if equal
        jz LABEL            ; jump to LABEL if both contextes were equal
       
    LABEL2:
        mov rcx, rsi        ; contains the returned certificate structure
                            ; when searching the cache
        call PIT_0x18c14    ; call CCertObject::Release
                            ; release decrements the number of references to the certificate
                            ; if references are 0 then ~CCertObject and PkiFree are called.
        xor rsi, rsi        ; set rsi to 0
        mov [rsp+58h], rsi  ; set pointer to cached certificate to 0
       
    
    LABEL:
        test rsi, rsi       ; is the context of the cached certificate equal?
        jnz PIT_0x15a26     ; yes, they are equal, trust the certificate
        jmp PIT_0x15a01     ; no, context not equal, don't trust the certificate

    code_end
patchlet_end

 

Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 10 v2004
2. Windows 10 v1909
3. Windows 10 v1809
4. Windows 10 v1803
5. Windows 7 (without ESU, with ESU year 1, and with ESU year 2)
6. Windows Server 2008 R2 (without ESU, with ESU year 1, and with ESU year 2)
   

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center. 

We'd like to thank Tomer Peled and Yoni Rozenshein of Akamai for sharing their POC, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.