Tavis Ormandy, a white hat hacker Project Zero announced to have found a zero-day flaw in the SymCrypt cryptographic library of Microsoft’s operating system.

The recently released Microsoft Patch Tuesday security updates for June 2019 failed to address a flaw in SymCrypt, a core cryptographic function library currently used by . The flaw could be exploited by malicious programs trigger a denial of service condition by interrupting the encryption service for other programs.

The was found by white hat hacker Tavis Ormandy from Google Project Zero. According to the Google 90-days disclosure policy, Ormandy publicly released details and proof-of-concept of the .

Ormandy privately reported the flaw to Microsoft in March 2019, but the tech giant failed into fixing it after 90 days.

The unpatched vulnerability affects Windows 8 servers and above.

According to Microsoft, SymCrypt is the primary library for implementing symmetric cryptographic algorithms in Windows 8, it also implements asymmetric cryptographic algorithms starting with Windows version 1703.

Ormandy discovered that it is possible to trigger the flaw to cause an infinite loop when making specific cryptographic operations.

“There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.” wrote the expert.

“I’ve been able to construct an X.09 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of that processes untrusted content (like antivirus) call these routines on untrusted , and this will cause them to deadlock.”

The white hat hacker used a specially crafted X.509 digital certificate to trigger the flaw, he explained that any application running on the system that processes the certificate can trigger the vulnerability.

Specially crafted certificates could be provided in multiple ways, for example in digitally signed and encrypted messages via the S/MIME protocol.

Ormandy explained that is some cases it would be necessary to reboot the vulnerable machine to return in a normal state.

Microsoft Response Center (MSRC) told the Google expert that the will not able to provide a security patch before next month.

Pierluigi Paganini

(SecurityAffairs – SymCrypt, hacking)

Source link

No tags for this post.


Please enter your comment!
Please enter your name here