CVE-2013-3900: Authenticode Signature Verification - Certificate Padding
Description
Microsoft republished a security vulnerability Jan 21, 2022 to re-address an issue that allows remote attackers to execute arbitrary code in the context of the current user by exploiting the WinVerifyTrust function of Windows Server and Windows 10/11. If the user is logged in with administrator creds, an attacker could potentially take complete control of the affected system. Making the severity of this vulnerability critical.
Microsoft released an official patch for this, MS13-098, but it requires additional settings to be applied to take effect. Additional settings required involves opting in to stricter verification behavior that will cause WinVerifyTrust function to perform strict Windows Authenticode signature verification for PE files. Once opted in, PE files are considered "unsigned" if Windows identifies their content doesn't meet the requirements of the Authenticode specification.
Impact
With this change to Authenticode signature verification, mainly portable executable (PE) binaries signed with Windows Authenticode signature format are affected. According to Microsoft's security advisory, the most common scenario in which users will be impacted is when installer files from the internet are customized at the time of download, mainly with the installation of new applications.
Resolution
First is to ensure that the MS13-098 patch as been applied to the system. Since this patch came out in 2013, most modern Windows OS (Win Server 2016, 2019, 2022 & Win 10/11) should have this installed.
Then you should add two registry keys to Wintrust Config to enable Authenticode signature verification.
For 32-bit Microsoft Windows Version
Create a file using notepad on the system and paste the following contents.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"Then save the file name and extension "enableAuthenticodeVerification.reg"
Now you can run the file by double-clicking on it and this will create the registry keys. Then reboot your computer for the changes to take effect.
For 64-bit Microsoft Windows Version
The 64-bit process is the same except that you have to create two registry keys.
Create a file using notepad on the system and paste the following contents.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"Then save the file name and extension "enableAuthenticodeVerification.reg"
Now you can run the file by double-clicking on it and this will create the registry keys. This creates the registry keys as String (REG_SZ) values. Then reboot your computer for the changes to take effect.
References
