CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability

Roger Roger 6,571 Reputation points
2023-02-20T20:35:49.2333333+00:00

Hi All

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

To remediate the vulnerability CVE-2013-3900 is to add the below registry values.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

  1. On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1.
  2. using powershell script i have created Wintrust & config folder and added EnableCertPaddingCheck"="1" , Is Reg_SZ type correct?
    1. {Default}-Reg_SZ also got created, will this create any issue.

reg

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,844 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,545 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,468 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,874 questions
{count} votes

Accepted answer
  1. Anonymous
    2023-02-20T20:50:08.7933333+00:00

    Using the REG file examples a REG_SZ will be created by default so yes it would be correct.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    10 people found this answer helpful.

7 additional answers

Sort by: Most helpful
  1. Matt D. Sardi 35 Reputation points
    2023-03-24T12:44:16.2033333+00:00

    These reg keys do not resolve this vulnerability. I am still waiting for Microsoft to provide an updated and working resolution.

    4 people found this answer helpful.

  2. Roger Roger 6,571 Reputation points
    2023-02-21T04:50:24.7566667+00:00

    On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1

    3 people found this answer helpful.

  3. Fernando Palerosi Carneiro 10 Reputation points
    2023-12-01T09:54:28.52+00:00

    No problem with registry type DWORD.

    REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1

    REG ADD “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1

    2 people found this answer helpful.
    0 comments No comments

  4. Brian Simpson 15 Reputation points
    2023-07-03T18:06:12.7966667+00:00

    Made the .reg from the entries below. Transferred it to the user's machine and ran. Waiting for SP360 to refresh and I'll verify the fix.

    Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.