Researchers have developed a proof-of-concept (PoC) exploit for a public x.509 certificate-spoofing vulnerability in the Windows CryptoAPI that the NSA and the National Cyber Security Center (NCSC) reported to Microsoft last year.
Microsoft quietly patched the bug, tracked as CVE-2022-34689, in its August 2022 monthly Patch Tuesday security update, but only publicly disclosed it in October. At the time, it assessed the vulnerability as one that attackers were more likely to exploit. But it offered scant details on the bug or how an attacker might exploit it.
"When the patch was released, this bug was missing from [Microsoft's] release notes," says Yoni Rozenshein, security researcher at Akamai. "It was announced retroactively two months later, in October, and there seems to be no information available that describes the vulnerability and how it's exploited."
Proof-of-Concept Attack for CVE-2022-34689
Researchers at Akamai who have been analyzing the vulnerability for the past several months this week released details of an attack they developed for it, which they said would allow attackers to spoof the target certificate and masquerade as any website, with the ability to take a variety of malicious actions.
"The vulnerable browser would show the green lock icon indicating a secure connection even though the connection is completely controlled by the attacker," Rozenshein says. He described Akamai's PoC for it as the first for the bug.
CryptoAPI is a Windows application programming interface that developers use to enable support for cryptography for their applications. One of CryptoAPI's roles is to verify the authenticity of digital certificates. And it is in this function where the vulnerability exists, Rozenshein says.
To verify the authenticity of a certificate, CryptoAPI first checks to see if it already exists in the receiving application's certificate cache. If it does, CryptoAPI treats the received certificate as verified. Prior to Microsoft's patch for it, CryptoAPI determined whether a received certificate was already in the certificate cache or not merely by comparing MD5 hash thumbprints. If the received certificate's MD5 thumbprint matched the MD5 thumbprint of a certificate in cache, CryptoAPI treated the received certificate as verified, even if the actual contents of the two certificates did not match exactly.
That opens the door for cyberattackers to introduce an imposter certificate.
MD5 Thumbprints: An Incorrect Assumption
Prior to the patch, "Microsoft inherently trusts the validity of cached certificates and doesn’t perform any additional validity checks after an end certificate is found in the cache," Akamai said in its report. While this by itself is a reasonable assumption, CryptoAPI's trust that two end certificates are identical if their MD5 thumbprints match "is an incorrect assumption that can be exploited, and was the genesis of the patch," Akamai noted.
To prove how an attacker could exploit the issue, Akamai researchers first generated two certificates — one legitimately signed and the other malicious — and rigged them so they would both end up having the same MD5 thumbprints. They then devised a way to serve the first, legitimate certificate to an application with a vulnerable version of CryptoAPI (in this case, an old version of Chrome — v48). Once the application had verified the certificate and stored it in its end certificate cache, Akamai showed how an attacker could then use a man-in-the-middle attack to serve the second malicious certificate to the same application and have it be verified as authentic.
Two conditions need to exist for the attack to work, Rozenshein says. One is that the application needs to be missing the Windows patch that Microsoft released last August. The other is that the application must use CryptoAPI for certificate verification and enable a CryptoAPI feature called "end certificate caching." The feature is disabled by default on CryptoAPI, but some applications enable it to boost performance. It is these applications that attackers can target, if an organization has not patched them.
"We are still actively researching and looking to find more vulnerable applications," Rozenshein says.
Easy to Exploit
Rozenshein says an attacker with control over a network can exploit the flaw without much difficulty. "They will need to compute an MD5 collision, but this can be done in advance, cheaply and in only a few hours," he says pointing to previous research that has shown how it is possible for an attacker to generate two certificates with the same MD5 thumbprint.
Once the MD5 thumbprint is calculated, the attack can be carried out easily, Rozenshein says. How an attacker carries out the next two phases of the attack (serving the two certificates) depends on the type of application being targeted, he adds: "In the case of Web browsers, we have found that simply resetting the connection after the first phase has been completed causes the browser to immediately try to reconnect. This is when the attack switches to the second phase."
Microsoft did not immediately respond to a request for comment on Akamai's research or PoC attack.
CVE-2022-34689 is the second flaw in CryptoAPI that the NSA has disclosed to Microsoft in recent years. In 2020, they reported a similar issue, tracked as CVE-2020-061, or the Curveball vulnerability. Akamai assessed the more recently disclosed flaw as presenting less of a threat than CurveBall because there are more prerequisites attached to it and therefore has a more limited scope of vulnerable targets.