[German]Google security expert Tavis Ormandy of Google's Project Zero security initiative disclosed an unpatched vulnerability in Microsoft's Symcrypt operating system's main cryptographic library. The vulnerability can cause a Denial of Service (DoS) condition in Windows 8 servers and higher.
Advertising
The vulnerability was discovered by Tavis Ormandy of Google's Project Zero security initiative and reported to Microsoft. After the 90-day deadline for reporting the vulnerability expired, Ormandy now publishes the information and points to Twitter:
I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't.
— Tavis Ormandy (@taviso) 11. Juni 2019
Ormandy documented the whole thing here and also provided test certificates to trigger the vulnerability.
Error in SymCrypt
There is a bug in the SymCrypt encryption library that has been used since Windows 8 for symmetric encryption functions. Windows 10 has been using the library for all cryptographic functions since October 2017.
Ormandy has noticed that one can send the multi-precision arithmetic routines with certain data in an infinite loop when calculating the send. This acts as a denial of service attack (DoS). Ormandy was able to create an X.509 certificate that triggers the error.
Advertising
Tests have shown that embedding the prepared certificate in an S/MIME message, an authentication signature, a channel connection, etc. effectively forces any Windows server (e.g. ipsec, iis, exchange, etc.) to hang. Depending on the context, only a restart of the machine will help to get back to work. Ormandy writes that apparently many programs that process untrusted content (such as antivirus programs), write these routines with untrusted data. This then leads to a machine shutdown. Users can check this and will notice that the following command will never complete:
C:\> certutil.exe testcase.crt
Ormandy classifies the vulnerability as a low threat level. Microsoft has not yet released a patch, so Ormandy has disclosed the information after the 90-day period. On Github you can find the source code of a module to exploit the vulnerability. Bleeping Computer has this article about that topic.
