Most Windows-powered datacenter systems and applications remain vulnerable to a spoofing bug in CryptoAPI that was disclosed by the NSA and the UK National Cyber Security Center (NCSC) and patched by Microsoft last year, according to Akamai’s researchers.
CryptoAPI helps developers secure Windows-based apps using cryptography; the API can be used, for instance, to validate certificates and verify identities.
The vulnerability in question (CVE-2022-34689) can be exploited by miscreants to digitally sign malicious executables in a way that tricks Windows and apps into believing the files are from trusted, legitimate sources and can be opened or installed. Exploiting this will involve getting said files onto victims’ machines and run.
Alternatively, an attacker can craft a TLS certificate that appears to belong to another organization and trick an application into trusting the cert, if that application uses CryptoAPI to analyze the certificate. The app believes the attacker is the spoofed organization. The bug isn’t a remote code execution flaw; it’s a vulnerability that allows someone to pretend to be another to an application or operating system, in the context of identity and certificate cryptography checks on Windows.
Microsoft quietly patched the vulnerability in August 2022; though it was labeled critical, it was given a CVSS severity score of just 7.5 out of 10. Later, when Redmond disclosed the bug in October, the IT giant said the security flaw hadn’t been exploited and wasn’t publicly known, but it did deem “exploitation more likely.”
And now that Akamai has published proof-of-concept