Windows SymCrypt library bug could enable attackers 'to take down an entire Windows fleet'

Microsoft's Security Research Centre says a patch for the flaw uncovered by Tavis Ormandy won't ship until July

Tavis Ormandy, a Google security researcher, has revealed details of a denial-of-service security flaw in Windows, which could "take down an entire Windows fleet" if exploited.

Ormandy reported the vulnerability to Microsoft on 13^th March, but was told that a patch for the issue would not be released before June's Patch Tuesday. However, Microsoft has now put it back until next month.

Microsoft's Security Research Centre has now informed Ormandy that it needs more days to release a patch for the flaw, and that it won't ship until July due to issues discovered in testing.

After the completion of 90-day disclosure deadline, Ormandy decided to disclose the bug in public.

"Today is day 91, so the issue is now public" he tweeted.

The researcher revealed that the bug lies in SymCrypt, the main cryptography library for Windows operating system and could cause a denial-of-service condition in Windows operating systems from Windows 8.

SymCrypt is used for implementing symmetric cryptographic algorithms in Windows 8 and asymmetric algorithms in Windows 10 version 1703.

According to Ormandy, the SymCrypt bug could cause a never-ending operation "when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric".

He tested the bug using a specially created X.509 digital certificate (which doesn't allow the verification process to be completed) and noticed that the vulnerability was triggered whenever a programme on the system attempted to process the certificate.

Ormandy embedded the certificate into S/MIME signed messages, SChannel connections and other encrypted communications, and was able to deadlock any Windows server.

Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.

Attending Cloud & Infrastructure Live 2019 already? Why not enter the Computing Cloud Excellence Awards that will be celebrated in the evening, too?

As per Ormandy, the bug could be used to DoS computers, and in some cases, the attacked systems would need to be rebooted to get out of the infinite loop.

"I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, SChannel connection, and so on will effectively DoS any windows server (for example, ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted," Ormandy explained in the report filed on Google's Project Zero site.

"Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock," he added.

The researcher considers the flaw as low severity, although it could enable an attacker to take down a "Windows fleet" in a very short period.

Some security researchers have criticised Ormandy for disclosing the details of the bug, including a proof-of-concept certificate, rather than waiting for the release of a patch from Microsoft.

However, Ormandy defends his decision by saying that he would have extended the deadline had Microsoft promised to fix the issue within 120 days.

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.