WinVerifyTrust Vulnerability (CVE-2013-3900)
**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.
Vulnerability Details
A security flaw in Windows’ WinVerifyTrust function allows attackers to execute code remotely by altering signed executable files without invalidating their signatures. This can give attackers full control over a system, enabling them to install or modify software, access or delete data, and create new accounts with full rights. The risk is greater for users with administrative rights.
Severity Rating
High
How to Verify if a Device is Vulnerable
Use Nessus plugin ID 166555 to scan the device and check for the vulnerability.
You can use the PowerShell script we provided with the IP address or hostname and the port number. This will make a connection to the service like HTTPS or RDP and get the values from the certificate.
What You Should Be Aware of if You Apply a Fix
Choosing the more stringent verification option leads the WinVerifyTrust function to enforce thorough Windows Authenticode signature validation for PE files. Once this option is activated, PE files with content not adhering to the Authenticode standards will be treated as “unsigned” by Windows. This change could affect certain installers. In cases where your installer is affected, Microsoft advises utilizing an installer designed to only extract content from the authenticated sections of the signed file.
How to Fix
On December 10, 2013, Microsoft released an update for all supported releases of Microsoft Windows that changes how signatures are verified for binaries signed with the Windows Authenticode signature format. This change can be enabled on an opt-in basis. When enabled, the new behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure, and Windows will no longer recognize non-compliant binaries as signed.
If the above doesn’t work well, we recommend trying the scripts below.
Scripts
Registry fix
Create a WinVerifyEnable.reg file with the text below and import into the registry.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
Either double click the file or execute in the command line.
reg import winverifyenable.reg
PowerShell script
# Define the registry key path and value name
$regPath = “HKLM:\Software\Microsoft\Cryptography\Wintrust\Config”
$valueName = “EnableCertPaddingCheck”
$regPath2 = “HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config”
$valueName2 = “EnableCertPaddingCheck”
# Check if the registry key exists
if (!(Test-Path $regPath)) {
# Create the registry key if it doesn’t exist
New-Item -Path $regPath -Force | Out-Null
}
# Check if the registry value exists
if (!(Test-Path “$regPath\$valueName”)) {
# Create the registry value if it doesn’t exist
New-ItemProperty -Path $regPath -Name $valueName -Value 1 -PropertyType String | Out-Null
}
# Output the registry value data
Get-ItemProperty -Path $regPath -Name $valueName
# Check if the registry key exists
if (!(Test-Path $regPath2)) {
# Create the registry key if it doesn’t exist
New-Item -Path $regPath2 -Force | Out-Null
}
# Check if the registry value exists
if (!(Test-Path “$regPath2\$valueName”)) {
# Create the registry value if it doesn’t exist
New-ItemProperty -Path $regPath2 -Name $valueName2 -Value 1 -PropertyType String | Out-Null
}
# Output the registry value data
Get-ItemProperty -Path $regPath2 -Name $valueName2
How to Verify the Fix
- Rescan the device with Nessus plugin ID 166555 and check for the vulnerability.
- Or try the following PowerShell script:
# Define the path to the registry key
$registryPath = “HKLM:\Path\To\The\Registry\Key” # Replace with the actual path
# Define the name of the registry value
$registryValueName = “EnableCertPaddingCheck”
# Try to get the registry value
try {
$registryValue = Get-ItemProperty -Path $registryPath -Name $registryValueName
if ($registryValue.$registryValueName -eq 1) {
Write-Host “EnableCertPaddingCheck is set to 1.”
} else {
Write-Host “EnableCertPaddingCheck is not set to 1.”
}
} catch {
Write-Host “Error: Unable to find the registry key or value.”
}
- Manuelly check
Navigate to the Windows Registry Editor and access the following directory: `HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config`.
Once you reach this location, verify that the `EnableCertPaddingCheck` value is set to ‘1’, as shown in the image below.
