Описание
Windows Cryptographic Services Security Feature Bypass Vulnerability
FAQ
Are there any further actions I need to take to be protected from this vulnerability?
Yes. The Windows Smart Card infrastructure relies on the Cryptographic Service Provider (CSP) and Key Storage Provider (KSP) to isolate cryptographic operations from the Smart Card implementation. The KSP is part of the Crypto Next Generation (CNG) architecture and is intended to support modern smart cards. In the case of RSA based certificates, the Smart Card Certificate Propagation service automatically overrides the default and uses the CSP instead of the KSP. This limits usage to the cryptography provided by the CSP and does not benefit from the modern cryptography provided by the KSP.
UPDATE: Starting with the April 2025, the fix will automatically generate an audit event in cases where the Cryptographic Service Provider (CSP) is being used with RSA keys. If you have not already enabled the fix using the DisableCapiOverrideForRSA setting, you should monitor your systems any error events in the Windows system event log.
The Windows System event will include text that says:
| Event ID | Event Type | Text |
|---|---|---|
| 624 | Error | Audit: This system is using CAPI for RSA cryptography operations. Please refer to the following link for more detail: https://go.microsoft.com/fwlink/?linkid=2300823 |
Note: when you enable the DisableCapiOverrideForRSA setting, auditing will stop.
Beginning with the July 2024 security updates released on July 9, 2024, this vulnerability will be addressed by removing the RSA override and using the KSP as the default. This change is initially disabled by default to allow customers to test it in their environment and to detect any application compatibility issues that might occur with this change.
Please enable this fix and test applications in your environment that rely on RSA based certificates and smart cards. If you detect applications that rely on the old behavior of defaulting to the CSP, work with your application vendor to update the application so that the KSP can be used by default.
The fix can be enabled by setting the following registry key. Set the registry key to the value 1 to enable the fix for CVE-2024-30098.
| Registry Subkey | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais |
|---|---|
| Key Value name | DisableCapiOverrideForRSA |
| Data Type | REG_DWORD |
| Data | Set to 1 to enable the fix for CVE-2024-30098 and set to 0 or remove the key to disable the fix. |
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to create a SHA1 hash collision successfully.
What kind of security feature could be bypassed by successfully exploiting this vulnerability?
An attacker who successfully exploited this vulnerability could bypass digital signatures on a vulnerable system.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Windows Server 2012 R2 | ||
| Windows Server 2012 R2 (Server Core installation) | ||
| Windows 10 for 32-bit Systems | ||
| Windows 10 for x64-based Systems | ||
| Windows Server 2016 | ||
| Windows 10 Version 1607 for 32-bit Systems | ||
| Windows 10 Version 1607 for x64-based Systems | ||
| Windows Server 2016 (Server Core installation) | ||
| Windows 10 Version 1809 for 32-bit Systems | ||
| Windows 10 Version 1809 for x64-based Systems |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
DOS
EPSS
7.5 High
CVSS3
Связанные уязвимости
Windows Cryptographic Services Security Feature Bypass Vulnerability
Windows Cryptographic Services Security Feature Bypass Vulnerability
Уязвимость служб Cryptographic Service Provider (CSP) и Key Storage Provider (KSP) операционных систем Windows, позволяющая нарушителю обойти ограничения безопасности
EPSS
7.5 High
CVSS3