Unpatched bug in Windows SymCrypt library could cause DoS condition, warns researcher

News by Bradley Barth

Even though the problem is of relatively low severity, it is worth taking note of because it could take down an entire Windows fleet relatively easily, said Project Zero researcher Tavis Ormandy

Google’s Project Zero vulnerability hunting team has publicly disclosed an unpatched bug in the SymCrypt cryptography library for Windows, which could create a denial of service condition when the user initiates any function that requires cryptography.

Project Zero researcher Tavis Ormandy said in a 11 June tweet that even though the problem is of "relatively low severity," it is worth taking note of because it "could take down an entire Windows fleet relatively easily."

"There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," explains an online vulnerability analysis written by Ormandy and published by Project Zero.

Ormandy said the Project Zero team revealed the vulnerability after Microsoft Corp. failed to patch the issue by Google’s disclosure deadline, which is set at 90 days after a bug is discovered. Microsoft intends to distribute a fix in July, said Tim Willis, senior security engineering manager at Google, in a comment he added to the vulnerability analysis.

According to a Microsoft spokesperson, the company attempted to meet Google’s deadline, but ran into some unexpected complications.

"Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher’s deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule," the spokesperson said in a statement. "We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption."

In the vulnerability analysis, Ormandy says he was able to craft an X.509 digital certificate that triggers the bug. "I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any Windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted," he wrote. "Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews