Tavis Ormandy, a white hat hacker Google Project Zero announced to have found a zero-day flaw in the SymCrypt cryptographic library of Microsoft’s operating system.

The recently released Microsoft Patch Tuesday security updates for June 2019 failed to address a flaw in SymCrypt, a core cryptographic function library currently used by Windows. The flaw could be exploited by malicious programs trigger a denial of service condition by interrupting the encryption service for other programs.

The vulnerability was found by white hat hacker Tavis Ormandy from Google Project Zero. According to the Google 90-days disclosure policy, Ormandy publicly released details and proof-of-concept of the vulnerability.

Ormandy privately reported the flaw to Microsoft in March 2019, but the tech giant failed into fixing it after 90 days.

Today is day 91, so the issue is now public. I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it's worth being aware of. https://t.co/KKa7cOMyfw — Tavis Ormandy (@taviso) June 11, 2019

The unpatched vulnerability affects Windows 8 servers and above.

According to Microsoft, SymCrypt is the primary library for implementing symmetric cryptographic algorithms in Windows 8, it also implements asymmetric cryptographic algorithms starting with Windows 10 version 1703.

Ormandy discovered that it is possible to trigger the flaw to cause an infinite loop when making specific cryptographic operations.

“There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.” wrote the expert.

“I’ve been able to construct an X.509 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”

The white hat hacker used a specially crafted X.509 digital certificate to trigger the flaw, he explained that any application running on the system that processes the certificate can trigger the vulnerability.

Specially crafted certificates could be provided in multiple ways, for example in digitally signed and encrypted messages via the S/MIME protocol.

Ormandy explained that is some cases it would be necessary to reboot the vulnerable machine to return in a normal state.

Microsoft Security Response Center (MSRC) told the Google expert that the company will not able to provide a security patch before next month.

Pierluigi Paganini

(SecurityAffairs – SymCrypt, hacking)