Google’s Project Zero vulnerability hunting team has publicly disclosed an unpatched bug in the SymCrypt cryptography library for Windows, which could create a denial of service condition when the user initiates any function that requires cryptography.
Project Zero researcher Tavis Ormandy said in a June 11 tweet that even though the problem is of “relatively low severity,” it is worth taking note of because it “could take down an entire windows fleet relatively easily.”
“There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric,” explains an online vulnerability analysis written by Ormandy and published by Project Zero.
Ormandy said the Project Zero team revealed the vulnerability after Microsoft Corp. failed to patch the issue by Google’s disclosure deadline, which is set at 90 days after a bug is discovered. Microsoft intends to distribute a fix in July, said Tim Willis, senior security engineering manager at Google, in a comment he added to the vulnerability analysis.
According to a Microsoft spokesperson, the company attempted to meet Google’s deadline, but ran into some unexpected complications.
“Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher’s deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule,” the spokesperson said in a statement. “We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”
In the vulnerability analysis, Ormandy says he was able to craft an X.509 digital certificate that triggers the bug. “I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any Windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted,” he wrote. “Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”