Microsoft has released patches for various versions of Windows 10 and Windows Server 2019 and 2016 to fix a severe vulnerability affecting system validation of Elliptic Curve Cryptography (ECC) certificates. This vulnerability enables an attacker to spoof the validity of a certificate chain and signature validation and requires prompt patching.
The vulnerability was discovered by NSA (PDF), which has strongly warned of the risks associated with not patching all affected systems as soon as possible.
The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.
The vulnerability affects signature validation in HTTPS connections, mails and files, and executables downloaded from the Internet. This means a malicious site, file, or executable may appear to be signed by a legitimate entity.
NSA has also provided a number of suggestions as to how to patch systems and how to use certutil and openssl to identify suspicious certificates that may be installed on a system.
Certificates containing explicitly-defined elliptic curve parameters which only partially match a standard curve are suspicious, especially if they include the public key for a trusted certificate, and may represent bona fide exploitation attempts.
This is extremely important if you are late in installing the Microsoft patches, leaving your system vulnerable for too long. In this case, NSA instructions are useful to ensure no non-legit certificates have been added to your certificate cache while your system was unpatched.
According to Microsoft, no exploits in the wild are known, but a number of independent security practitioners have quickly released proofs of concepts (POCs) for an attack that exploites this vulnerability.
As Yolan Romailler, security engineer at Swiss firm Kudelski Security, explains, a way to exploit the vulnerability is to use an X.509 certificate generated with "explicit parameters".
The problem here is really that the CA certificate cache used by the CryptoAPI is falsely considering that a modified root CA is in the CA certificate store as soon as its public key and serial number match a certificate that is already in the certificate cache, ignoring the fact that this modified certificate is not using the same curve parameters as the one in its cache.
Another useful, high-level explanation is provided by Twitter user Cem Paya, who speculates that Crypto32.dll implemented support for "user-defined" elliptic curves in a "lazy" way:
It failed to check that all curve parameters are identical to the known curve. In particular, switching the generator point results in a different curve in which an attacker can forge signatures that match a victim public key.
An comprehensive discussion of the Crypto32 exploit, along with some interesting mathematical background, can be found on Trail of Bits website.
While it is true this vulnerability requires updating all affected Windows systems as soon as possible, Kudelsky attempts to better frame the context in which it could be exploited:
In the end, please keep in mind that such a vulnerability is not at risk of being exploited by script kiddies or ransomware. [...] you would need to face an adversary that owns the network on which you operate, which is possible for nation-state adversaries, but less so for a script kiddie.
This also has an interesting corollary that makes NSA decision to disclose the vulnerability more understandable:
This is also probably why the NSA decided not to weaponize their finding, but to rather disclose it: for them it is best to have the USA patched rather than to keep it and take the risk of it being used against the USA, as the attack surface is so vast.
Although the bug resided in Windows Crypto32.dll library, which was introduced with Windows NT 4.0, the vulnerability lies with the more advanced ECC features described above which are seemingly not supported on Windows 7, Windows 8.1, and other Windows versions other than those listed in Microsoft security advisory.