A Google security expert revealed today that unpatched problem in Microsoft’s main cryptographic operating system library can cause a denial-of-service (DoS) condition on Windows 8 and above servers.
The problem is with SymCrypt, the primary library to implement symmetric cryptographic algorithms in Windows 8 and asymmetric algorithms starting with Windows 10 version 1703.
The malformed cert will trigger the bug
Tavis Ormandy, a Google vulnerability researcher, observed that SymCrypt could easily be used as an endless “operation to calculate the modular inverse with bcryptprimitives!SymCryptFdefModInvGeneric on specific bit patterns.”
He was able to test the bug using a specially crafted digital certificate, X.509, which prevents the verification process from completing. Any program on the certificate processing system triggers the vulnerability.
A malformed certificate can be issued to affected systems in a variety of ways because it is used for safe Internet protocols (e.g. TLS) or for the validation of digital signatures.
This can be delivered through the S / MIME Protocol or a Secure Channel (channel) connection, which authenticates between clients and servers, in digitally signed and encrypted messages.
I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It’s a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn’t.
— Tavis Ormandy (@taviso) 11 June 2019
The researcher considers the bug to be low but can help an attacker in a short period to take down a Windows fleet.
Ormandy says that any Windows server such as IPsec (used for VPN connections), Internet Information Services (IIS), or Microsoft Exchange Server can allow an attacker to doS.
The machine may need a reboot under certain conditions to return to its normal operating condition.
“Obviously, lots of software processing untrusted content (such as antivirus) will call these routines on untrusted data and cause them to be blocked,” the researcher writes in an advisory that includes a proof-of-concept certificate demonstrating the problem.
Microsoft misses the deadline for patch delivery
Ormandy revealed the problem privately to Microsoft in March 2019, and the company replied that it had to find a solution until June 11.
While that date meant breaking the responsible grace period of disclosure by one day, Ormandy accepted the extension.
However, a subsequent Microsoft Security Response Center (MSRC) message indicated that a patch would not be ready until the release of security updates next month.
These circumstances led Ormandy to make the details public. “As it is 91 days today, de-restricting the issue,” he announced in a comment to the vulnerability disclosure.