Tavis Ormandy, security researcher at Google’s Project Zero, has “noticed a bug in SymCrypt, the core library that handles all crypto on Windows.” The bug is a zero-day of the DoS (denial-of-service) type.
The bug means that “basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything)”, the researcher revealed in a series of tweets. Apparently, Microsoft committed to fixing it in 90 days, but it still hasn’t.
Initially, the company said that they would like to issue a bulletin for the issue, but need until June 11th. On that day, however, Microsoft noted that “the patch won’t ship today”. A patch wouldn’t be ready until the July release due to issues found in testing.
More about the SymCrypt bug
The issue is located in Windows’ SymCrypt core cryptographic library that has been available for symmetric algorithms since Windows 8. SymCrypt is also considered the primary crypto library for asymmetric algorithms on the Windows 10 1703 build.
A bug report about the issue is now available on Chromium, after the 90-day deadline has passed. This is what the bug report says:
There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.
In addition, Ormandy has been able to construct an X.509 certificate that triggers the bug. The researcher also discovered that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, will “effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted”.
Since lots of software that handles untrusted content (such as antivirus programs) call these routines on untrusted data, this would cause them to deadlock.
Even though the bug is low in severity, it shouldn’t be overlooked. A patch is expected to be delivered via July 2018’s Patch Tuesday.