A Google researcher has discovered a vulnerabiliy in the SymCrypt cryptographic library of Microsoft’s OS that can trigger a DDoS disruption in Windows 8 servers and above, causing a perpetual operation “when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.”
Today is day 91, so the issue is now public. I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it's worth being aware of. https://t.co/KKa7cOMyfw
— Tavis Ormandy (@taviso) June 11, 2019
https://twitter.com/vcsjones/status/1123089141481254917
Expert Comments:
Adam Laub, SVP Product Management at STEALTHbits Technologies:
“This finding demonstrates just how important this type of research is in helping organizations mitigate risks no one ever knew existed. The frightening part about this vulnerability and others that can be remedied with a simple patch, however, is that many organizations will have a very difficult time actually implementing the fix. When I first started in the industry nearly 15 years ago, Patch Management was very much the flavor of the day – much like Privileged Access Management (PAM) and Artificial Intelligence (AI) technologies command significant mindshare among security practitioners now. Sadly, the Patch Management problem persists despite advances in so many other areas of IT Management, which could make this “low severity” vulnerability a lot more pungent than it ought to be.”
Mounir Hahad, Head at Juniper Threat Labs at Juniper Networks:
“This could spell disaster. You no longer need to mount DDoS amplification attacks to be successful at bringing down an IIS server – all you need is to present a specially crafted client certificate. And given there are more than nine million Microsoft IIS servers still in operation around the world, about half of which are in the U.S. and China, a lot of organizations could potentially fall victim to this attack. It’s a fairly low barrier attack since the Google researcher made a specially crafted sample certificate available for public download.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.