Worklet: WinVerifyTrust Signature Validation Vulnerability (CVE-2013-3900) mitigation

  • 3 October 2022
  • 2 replies
  • 3882 views

Userlevel 1
Badge

This is an older CVE that was reissued by Microsoft January 21 2022. There is no patch for this vulnerability. It affects all current and previous versions of Windows OS. And is considered “opt-in” with no plans to enforce stricter verification. This is listed in the CISA known exploited vulnerabilities catalog.

 

Updated reissue:
CVE-2013-3900 - Security Update Guide - Microsoft - WinVerifyTrust Signature Validation Vulnerability

 

Other:
https://nvd.nist.gov/vuln/detail/CVE-2013-3900
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098

 

Evaluation Code:

#Clears all errors prior to running script
$Error.Clear()

#All values tested
$Value1 = Test-Path -Path "HKLM:\\SOFTWARE\Microsoft\Cryptography\Wintrust\Config"
$Value2 = Test-Path -Path "HKLM:\\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config"
$Value3 = Get-ItemPropertyValue -Path "HKLM:\\SOFTWARE\Microsoft\Cryptography\Wintrust\Config" -Name "EnableCertPaddingCheck"
$Value4 = Get-ItemPropertyValue -Path "HKLM:\\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" -Name "EnableCertPaddingCheck"

#Test that both $Value1 and $Value2 are True
if (("True" -ne $Value1) -or ("True" -ne $Value2))
{
Exit 1
}
#Test that both $Value3 and $Value4 equal 1
elseif (("1" -ne $Value3) -or ("1" -ne $Value4))
{
Exit 1
}
#Test that there were no errors. When testing $Value3 and $Value4, if no entry exists a non-terminating error will be thrown.
elseif ("0" -ne $Error.Count)
{
Exit 1
}
else
{
Exit 0
}

 

Remediation Code:

<#
.SYNOPSIS
Creates two registry entries to mitigate WinVerifyTrust Signature Validation Vulnerability CVE-2013-3900
.DESCRIPTION
This script creates the two necessary registry entries to mitigate WinVerifyTrust Signature Validation Vulnerability CVE-2013-3900
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
Automox runs as a 32-Bit process, so the script must execute in a 64-Bit shell.
Inspiration for script block to trigger 64-Bit shell found here: https://help.automox.com/hc/en-us/articles/5352120268820-Enforce-Windows-Registry-Settings-Worklet
#>


$scriptBlock = {
#Final registry key paths
$32bitpath = "HKLM:\\SOFTWARE\Microsoft\Cryptography\Wintrust\Config"
$64bitpath = "HKLM:\\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config"

#Registry entry name
$RegentryName = "EnableCertPaddingCheck"

#Required registry key paths
$path1 = "HKLM:\\SOFTWARE\Microsoft\Cryptography"
$path2 = "HKLM:\\SOFTWARE\Microsoft\Cryptography\Wintrust"
$path3 = "HKLM:\\SOFTWARE\Wow6432Node\Microsoft\Cryptography"
$path4 = "HKLM:\\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust"

#Creates required keys
New-Item -Path $path1 -Name "Wintrust"
New-Item -Path $path2 -Name "Config"
New-Item -Path $path3 -Name "Wintrust"
New-Item -Path $path4 -Name "Config"

try {
#Creates registry in final key path
New-ItemProperty -Path $32bitpath -Name $RegentryName -Value "1"
New-ItemProperty -Path $64bitpath -Name $RegentryName -Value "1"

return 0
} catch {
return 1
}
}

Write-Host $returnCode

#Execute the scriptblock above in 64-bit shell. Will return 0 for ScriptBlock in a 64-bit shell. This will return 0 for success and 1 for fail used to determine script success.
$returnCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command $scriptBlock

Exit $returnCode

 


2 replies

Badge

Thanks Juanmbi. Looks like this vulnerability was exploited by the 3CX Desktop App’s dll files. I’ll test this worklet.

Userlevel 1
Badge

An official Worklet Catalog worklet for this has been created since I created the above script. Please use that instead of mine.

https://www.automox.com/worklets/mitigate-winverifytrust-signature-validation-windows

Reply