Cyber Essentials Plus: WinVerifyTrust Vulnerability

 

Introduction

In today’s digital world, cyber threats are evolving at an unprecedented pace. One (long-standing) vulnerability that continues to demand attention is WinVerifyTrust. This allows cybercriminals to cause damage by installing malicious software in files and disguise it as a ‘trusted software update”. By addressing this flaw, unauthorised access can be prevented, along with data breaches and ransomware attacks. Here we explain the vulnerability, set out remediation options, advise why it matters, and link it to one of the benefits of Cyber Essentials Plus testing.

 

Cyber Essentials Plus Testing

Cyber Essentials sets out an aim to ensure devices are not vulnerable to known security issues. The certification involves testing to determine whether an internet-based attacker can hack into systems using low-skill methods. It also checks devices to determine whether weaknesses exist. Qualified assessors use (specially designed) tools to carry out the Cyber Essentials Plus testing to identify and highlight these weaknesses. Findings can be extremely valuable for an organisation – an opportunity to identify and fix system weaknesses, before they can be exploited by bad actors.

 

WinVerifyTrust Explained

A risk that can be identified and addressed through Cyber Essentials Plus testing – it relates to a Windows function that can be used to verify the authenticity of software (by checking its digital signature).

 

What an Attacker Can Do

Attackers can modify an executable file (a program) and insert malicious software without breaking the digital signature.

 

How it Works

Normally, a digital signature ensures the file hasn’t been tampered with. However, with this vulnerability, attackers can add malicious code to the file, and Windows still thinks the file is safe. Files could then be executed on devices and attacks can be launched.

 

Potential Impact

If a file is modified, malicious software could run on a Windows computer, allowing attackers to have full control – access to programs; view, change, steal, or damage data; and create new user accounts. Damage could also spread to other devices on the network.

 

Why it Matters

There’s potential to bypass security controls and cause harm to devices and data. Based on the HIGH RISK severity, the vulnerability can be flagged for remediation as part of the Cyber Essentials Plus testing. The Cyber Essentials: Requirements for IT Infrastructure v3.2 document outlines the need to apply registry fixes where vulnerabilities have a CVSS v3 base score of 7 or above – these are to be fixed within 14 days.

 

Severity

• A HIGH RISK severity ranking
• CVSSv3 Base score is 8.8
• The vulnerability can be used to deploy malicious software

Fix

A registry update, to add specific keys

EnableCertPaddingCheck is set to 1 in two locations:

• HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyWintrustConfig
• HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftCryptographyWintrustConfig

 

Options to Fix

1. Change to the Registry using a .reg file
2. Update the Registry via a command line
3. Registry modification via PowerShell

 

Warning – Before Making Registry Changes

Before making changes, consider testing in a non-production environment, then roll-out, creating appropriate backups (for reversion).

• Manual Backup Using Registry Editor:
  • Press Win + R, type regedit, and press Enter to open the Registry Editor
  • In the Registry Editor, click on File and select Export
  • Choose a location on your computer to save the backup
  • In the Export Range panel, ensure that All is selected to back up the entire registry
  • Name the backup file and click Save
• System Restore Point:
  • Open the Start menu and type / select ‘Create a restore point’
  • In the System Properties window, click on ‘Create’
  • Enter a description for the restore point and click ‘Create’

Verification

After applying the registry changes, restart the computer to ensure the settings take effect.

The registry entries can be verified by navigating to:

• HKLMSoftwareMicrosoftCryptographyWintrustConfig

Check EnableCertPaddingCheck is 1

• HKLMSoftwareWow6432NodeMicrosoftCryptographyWintrustConfig

Check EnableCertPaddingCheck is 1

A vulnerability management agent and credentialed scan can confirm remediation – as well as detect other known vulnerabilities.

 

How We Help

At RB Consultancy Ltd we support organisations looking to implement controls and/or certify to Cyber Essentials and Cyber Essentials Plus requirements:

• NCSC Assured Cyber Advisor – we help organisations understand and implement technical controls and provide detailed steps on how to resolve this vulnerability
• As Cyber Essentials Plus Assessor, we assess organisations against the requirements and carry out vulnerability assessments
• As a Cyber Essentials Plus Certification Body, we issue organisations with certifications

 

Conclusion

Cyber Essentials Plus testing identifies critical and high-risk vulnerabilities. By making registry changes, it’s possible to effectively mitigate the WinVerifyTrust vulnerability and enhance system security. Regular updates and monitoring of the system for vulnerabilities are essential when maintaining a secure environment. There is always risk when making changes – follow best practice guidance on rolling out change (reverting if needed).

 

Information sources for WinVerifyTrust vulnerability

• https://nvd.nist.gov/vuln/detail/CVE-2013-3900
• https://learn.microsoft.com/en-us/answers/questions/1182542/cve-2013-3900-winverifytrust-signature-validation