Worklet: WinVerifyTrust Signature Validation Vulnerability (CVE-2013-3900) mitigation

This is an older CVE that was reissued by Microsoft January 21 2022. There is no patch for this vulnerability. It affects all current and previous versions of Windows OS. And is considered “opt-in” with no plans to enforce stricter verification. This is listed in the CISA known exploited vulnerabilities catalog.

Updated reissue:
CVE-2013-3900 - Security Update Guide - Microsoft - WinVerifyTrust Signature Validation Vulnerability

Other:
https://nvd.nist.gov/vuln/detail/CVE-2013-3900
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098

Evaluation Code:

#Clears all errors prior to running script
$Error.Clear()

#All values tested
$Value1 = Test-Path -Path "HKLM:\\SOFTWARE\Microsoft\Cryptography\Wintrust\Config"
$Value2 = Test-Path -Path "HKLM:\\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config"
$Value3 = Get-ItemPropertyValue -Path "HKLM:\\SOFTWARE\Microsoft\Cryptography\Wintrust\Config" -Name "EnableCertPaddingCheck"
$Value4 = Get-ItemPropertyValue -Path "HKLM:\\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" -Name "EnableCertPaddingCheck"

#Test that both $Value1 and $Value2 are True
if (("True" -ne $Value1) -or ("True" -ne $Value2))
{
    Exit 1
}
#Test that both $Value3 and $Value4 equal 1
elseif (("1" -ne $Value3) -or ("1" -ne $Value4))
{
    Exit 1
}
#Test that there were no errors. When testing $Value3 and $Value4, if no entry exists a non-terminating error will be thrown.
elseif ("0" -ne $Error.Count)
{
    Exit 1
}
else
{
    Exit 0
}

Remediation Code:

<#
.SYNOPSIS
    Creates two registry entries to mitigate WinVerifyTrust Signature Validation Vulnerability CVE-2013-3900
.DESCRIPTION
    This script creates the two necessary registry entries to mitigate WinVerifyTrust Signature Validation Vulnerability CVE-2013-3900 
    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900    
    Automox runs as a 32-Bit process, so the script must execute in a 64-Bit shell. 
    Inspiration for script block to trigger 64-Bit shell found here: https://help.automox.com/hc/en-us/articles/5352120268820-Enforce-Windows-Registry-Settings-Worklet
#>


$scriptBlock = {
   #Final registry key paths
    $32bitpath = "HKLM:\\SOFTWARE\Microsoft\Cryptography\Wintrust\Config"
    $64bitpath = "HKLM:\\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config"

    #Registry entry name
    $RegentryName = "EnableCertPaddingCheck"

    #Required registry key paths
    $path1 = "HKLM:\\SOFTWARE\Microsoft\Cryptography"
    $path2 = "HKLM:\\SOFTWARE\Microsoft\Cryptography\Wintrust"
    $path3 = "HKLM:\\SOFTWARE\Wow6432Node\Microsoft\Cryptography"
    $path4 = "HKLM:\\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust"

    #Creates required keys
    New-Item -Path $path1 -Name "Wintrust"
    New-Item -Path $path2 -Name "Config"
    New-Item -Path $path3 -Name "Wintrust"
    New-Item -Path $path4 -Name "Config"

    try {
        #Creates registry in final key path
        New-ItemProperty -Path $32bitpath -Name $RegentryName -Value "1"
        New-ItemProperty -Path $64bitpath -Name $RegentryName -Value "1"

        return 0
        } catch {
        return 1
    }
}

Write-Host $returnCode

#Execute the scriptblock above in 64-bit shell. Will return 0 for ScriptBlock in a 64-bit shell. This will return 0 for success and 1 for fail used to determine script success.
$returnCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command $scriptBlock

Exit $returnCode