Proof-of-concept (Poc) code has been made available for a high-severity security vulnerability in the Windows CryptoAPI that Microsoft was notified of by the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) last year.
The CVE-2022-34689 spoofing vulnerability, with a CVSS score of 7.5, was fixed by the tech giant as part of Patch Tuesday updates delivered in August 2022, although it wasn't made public until October 11, 2022.
In a then-released advisory, Microsoft warned that "an attacker might alter an existing public x.509 certificate to impersonate their identity and conduct actions such as authentication or code signing as the targeted certificate."
The Windows CryptoAPI provides an interface for programmers to integrate cryptographic services, including as data encryption and decryption and digital certificate authentication, into their programmes.
CVE-2022-34689, according to web security firm Akamai, which published the proof-of-concept, was caused by a vulnerable piece of code that was intended to accept an x.509 certificate and conducted a check that only considered the certificate's MD5 fingerprint.
As of December 2008, birthday attacks, a cryptanalytic technique used to identify collisions in a hash function, made it possible for MD5, a message-digest algorithm used for hashing, to be practically cryptographically broken.
A bad actor might use this flaw to provide a modified version of a genuine certificate to a victim app, then construct a new certificate whose MD5 hash collides with the compromised certificate and use it to pose as the original entity.
In other words, the vulnerability could be exploited by a malicious third party to launch a mallory-in-the-middle (MitM) attack and reroute users using an outdated version of Google Chrome (version 48 and earlier) to any website of the attacker's choosing simply because the vulnerable web browser trusts the malicious certificate.
"Certificates play a major role in identity verification online, making this vulnerability lucrative for attackers," Akamai stated.
The Massachusetts-based company noted that despite the flaw's limited reach, "there is still a lot of code that utilises this API and might be susceptible to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7."