Windows-powered data centres still vulnerable to CryptoAPI bug, says Akamai

(Representative Image)

A bug in the Windows CryptoAPI is still unpatched on most data centre systems. Security researchers from Akamai said that the bug was discovered and fixed by Microsoft in August 2022, but 99 percent of Windows-based data centres have still not been patched.

The CryptoAPI allows developers to secure their Windows apps cryptographically, but a bug in the API allows malicious actors to sign certificates in a way that tricks Windows into believing they are legitimate.

Also Read: Microsoft digital certificates used to sign malware by ransomware group Cuba 

If an organisation relies on CryptoAPI for authentication, attackers can craft a fake certificate that will trick the API into validating it. It allows bad actors to pretend to be another organisation or system, allowing them to take control over the victim's computer.

Microsoft issued a patch for the bug in August 2022, but disclosed it only in October. It appears many organisations have still not applied the patch to their data centres.

The bug was first disclosed to Microsoft by the US National Security Agency (NSA) and UK's National Cyber Security Center (NCSC).

Also Read: Another EternalBlue-like flaw threatens Windows PCs

"We found that fewer than one percent of visible devices in data centres are patched, rendering the rest unprotected from exploitation of this vulnerability," Akamai security researchers Tomer Peled and Yoni Rozenshein told The Register.

"The attack flow is twofold. The first phase requires taking a legitimate certificate, modifying it, and serving the modified version to the victim. The second phase involves creating a new certificate whose MD5 collides with the modified legitimate certificate, and using the new certificate to spoof the identity of the original certificate’s subject," wrote the duo in a blog post.