A vulnerability in the SymCrypt cryptographic library of Microsoft's OS can trigger a distributed denial-of-service (DDoS) disruption in Windows 8 servers and above, causing a perpetual operation "when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," according to Tavis Ormandy, a Google researcher.
“I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't,” Ormandy tweeted.
Now that we’ve entered into the 91st day, Ormandy has gone public with what he said is a relatively low severity bug. “I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g., ipsec, iis, exchange, etc.) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock,” Ormandy wrote in the Project Zero vulnerability report.
Ormandy noted that while it is a low-severity bug, it would be possibly to take down an entire Windows fleet relatively quickly if exploited. “Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher’s deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule,We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption," a Microsoft spokesperson wrote in an email.*
"This finding demonstrates just how important this type of research is in helping organizations mitigate risks no one ever knew existed. The frightening part about this vulnerability and others that can be remedied with a simple patch, however, is that many organizations will have a very difficult time actually implementing the fix,” said Adam Laub, SVP product management, STEALTHbits Technologies.
“When I first started in the industry nearly 15 years ago, patch management was very much the flavor of the day – much like privileged access management (PAM) and artificial intelligence (AI) technologies command significant mind share among security practitioners now. Sadly, the patch management problem persists despite advances in so many other areas of IT management, which could make this 'low severity' vulnerability a lot more pungent than it ought to be."
*June 12, 2019 3:38 PM: This article was updated to include comment from a Microsoft spokesperson.