CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability

Roger Roger 6,671 Reputation points
2023-02-20T20:35:49.2333333+00:00

Hi All

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

To remediate the vulnerability CVE-2013-3900 is to add the below registry values.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

  1. On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1.
  2. using powershell script i have created Wintrust & config folder and added EnableCertPaddingCheck"="1" , Is Reg_SZ type correct?
    1. {Default}-Reg_SZ also got created, will this create any issue.

reg

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,849 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,548 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,484 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,874 questions
{count} votes

Accepted answer
  1. Anonymous
    2023-02-20T20:50:08.7933333+00:00

    Using the REG file examples a REG_SZ will be created by default so yes it would be correct.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    10 people found this answer helpful.

7 additional answers

Sort by: Most helpful
  1. Rafid PBICL 5 Reputation points
    2024-05-02T06:25:22.17+00:00

    According to this article: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098

    Windows server 2016, 2019 and 2022 are not in the list of affected products.

    So, I still need to apply remediation steps on windows server 2016, 2019 and 2022 for CVE-2013-3900 vulnerability ?

    Waiting for your prompt response

    1 person found this answer helpful.

  2. Brian Simpson 15 Reputation points
    2023-07-07T22:22:32.6766667+00:00
    1. Make the .reg from the entries below.
    2. Transfer it to the user's machine and run.

    Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"


  3. Raghu Sharma 6 Reputation points
    2024-08-21T11:26:45.45+00:00

    Anyone looking to do this, can use below code

    Impact of enabling the functionality change: Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.

    #Source https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
    
    if (!(Test-Path 'HKLM:\Software\Microsoft\Cryptography\Wintrust')) {
    
    New-Item -Path 'HKLM:\Software\Microsoft\Cryptography' -Name 'Wintrust' | Out-Null
    
    }
    
    if (!(Test-Path 'HKLM:\Software\Microsoft\Cryptography\Wintrust\Config')) {
    
    New-Item -Path 'HKLM:\Software\Microsoft\Cryptography\Wintrust' -Name 'Config' | Out-Null
    
    }
    
    Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Cryptography\Wintrust\Config' -Name 'EnableCertPaddingCheck' -Value '1' -Type DWORD
    
    if (!(Test-Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust')) {
    
    New-Item -Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography' -Name 'Wintrust' | Out-Null
    
    }
    
    if (!(Test-Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config')) {
    
    New-Item -Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust' -Name 'Config' | Out-Null
    
    }
    
    Set-ItemProperty -Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config' -Name 'EnableCertPaddingCheck' -Value '1' -Type DWORD
    
    Write-Output 'Please reboot your system to apply the changes.'
    
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.