Google Project Zero researcher Tavis Ormandy has published details about a bug in a core Windows crypto library that’s been present since Windows 8 and could be used to “take down a Windows fleet pretty quickly”.
SymCrypt is one of Microsoft’s open-source projects that has become its primary crypto library for symmetric algorithm since Windows 8. As of Windows 10 1703, it also became the primary crypto library for asymmetric algorithms, too.
Ormandy, who often finds bugs in antivirus software, crafted an X.509 certificate that triggers the bug and creates a denial-of-service condition on any Windows server, which could require a reboot for it be up and running again.
“There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric,” explained Ormandy in a write-up published on Microsoft’s June 2019 Patch Tuesday.
Microsoft had “committed to fixing it in 90 days”, according to Ormandy, in line with Google’s three-month deadline for fixing or publicly disclosing bugs that its researchers find.
But, according to Tim Willis, a senior security engineering manager at Google, the Microsoft Security Response Center (MSRC) informed Google on Tuesday that it could not ship the patch until the July Patch Tuesday release “due to issues found in testing”.
Once again this bug appears to have its roots in the way Windows interacts with antivirus software.
“I’ve been able to construct an X.509 certificate that triggers the bug,” explained Ormandy.
“I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (eg ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”
Ormandy notes that the bug is a low-severity issue. However, admins should be aware of it due to potential for an attacker to down an entire fleet of Windows machines without much difficulty.
I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It’s a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn’t.
— Tavis Ormandy (@taviso) June 11, 2019
More on Microsoft and Windows security
READ MORE HERE