What would be the detection?

Duchemin, Dominique 2,006 Reputation points
2022-09-09T01:44:38.447+00:00

Hello,

I create a CI and CB for the remediation of the CVE-2013-3900.
The remediation is:

<#

.DESCRIPTION  
    MS13-098: Vulnerability in Windows Could Allow Remote Code Execution (2893294) / CVE-2013-3900  

>

function DetectCVEIssue {

Registry to correct CVE-2013-3900

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"=-

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"=-
}

DetectCVEIssue

But what would be the detection?
Thanks,
Dom

Microsoft Configuration Manager
0 comments No comments
{count} votes

11 answers

Sort by: Most helpful
  1. AllenLiu-MSFT 44,191 Reputation points Microsoft Vendor
    2022-09-09T09:35:17.997+00:00

    Hi, @Duchemin, Dominique

    Thank you for posting in Microsoft Q&A forum.

    Check if this discovery script helps:

    #Check for EnableCertPaddingCheck  
      
    $a = (get-itemproperty -Path "HKLM:Software\Microsoft\Windows\Cryptography\Wintrust\Config" -name "EnableCertPaddingCheck" -ErrorAction SilentlyContinue)  
    $b = (get-itemproperty -Path "HKLM:Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" -name "EnableCertPaddingCheck" -ErrorAction SilentlyContinue)  
      
    if ($a -eq $null) and ($b -eq $null)  
    {Write-Host 'Compliant'}  
    Else  
    {Write-Host 'Non-Compliant'}  
    

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  2. AllenLiu-MSFT 44,191 Reputation points Microsoft Vendor
    2022-09-13T07:53:39.69+00:00

    Hi, @Duchemin, Dominique

    Thank you for correcting the detection script, I haven't test it before posting it.
    It seems you need to make the "EnableCertPaddingCheck"="1", and you have only "The value returned by the specified script" true or false, so the detection script should be:

    $a = (get-itemproperty -Path "HKLM:Software\Microsoft\Windows\Cryptography\Wintrust\Config" -name "EnableCertPaddingCheck" -ErrorAction SilentlyContinue)  
    $b = (get-itemproperty -Path "HKLM:Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" -name "EnableCertPaddingCheck" -ErrorAction SilentlyContinue)  
      
    if (($a -eq 1) -And ($b -eq 1))  
    {Write-Host 'True'}  
    Else  
    {Write-Host 'False'}  
    

    For the setting discovery error 0x87d00327, you may try to use the "Open" button when creating or updating the detection script in the CI for it to properly preserve the script and signature instead of copy and paste.
    240369-1.png

    1 person found this answer helpful.
    0 comments No comments

  3. Duchemin, Dominique 2,006 Reputation points
    2022-09-09T16:28:13.393+00:00

    Hello,

    PS C:\Windows\system32> #Check for EnableCertPaddingCheck

    $a = (get-itemproperty -Path "HKLM:Software\Microsoft\Windows\Cryptography\Wintrust\Config" -name "EnableCertPaddingCheck" -ErrorAction SilentlyContinue)
    $b = (get-itemproperty -Path "HKLM:Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" -name "EnableCertPaddingCheck" -ErrorAction SilentlyContinue)

    if ($a -eq $null) and ($b -eq $null)
    {Write-Host 'Compliant'}
    Else
    {Write-Host 'Non-Compliant'}
    At line:6 char:18

    • if ($a -eq $null) and ($b -eq $null)
    • ~
      Missing statement block after if ( condition ).
    • CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordExcepti
      on
    • FullyQualifiedErrorId : MissingStatementBlock

    There is an error... checking it

    Thanks,
    Dom

    0 comments No comments

  4. Duchemin, Dominique 2,006 Reputation points
    2022-09-09T16:35:05.497+00:00

    Hello,

    #Check for EnableCertPaddingCheck

    $a = (get-itemproperty -Path "HKLM:Software\Microsoft\Windows\Cryptography\Wintrust\Config" -name "EnableCertPaddingCheck" -ErrorAction SilentlyContinue)
    $b = (get-itemproperty -Path "HKLM:Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" -name "EnableCertPaddingCheck" -ErrorAction SilentlyContinue)

    if (($a -eq $null) -And ($b -eq $null))
    {Write-Host 'Compliant'}
    Else
    {Write-Host 'Non-Compliant'}

    -----------------------------------------------------------------------------------------------------------------

    I changed the and to -And and added () for the complete test...

    It is working now thanks,
    Dom

    0 comments No comments

  5. Duchemin, Dominique 2,006 Reputation points
    2022-09-10T00:58:35.357+00:00

    Hello,

    Detection works
    but the remediation is having an error:
    Errors:
    Error Type Error Code Error Description Error Source
    Setting Discovery Error 0x87d00327 Script is not signed CCM

    the remediation is script is:

    <#
    .DESCRIPTION
    MS13-098: Vulnerability in Windows Could Allow Remote Code Execution (2893294) / CVE-2013-3900

    >

    Registry to correct CVE-2013-3900

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
    "EnableCertPaddingCheck"="1"

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
    "EnableCertPaddingCheck"="1"

    }

    What is missing?

    Thanks,
    Dom

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.