Hi All https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 To remediate the vulnerability CVE-2013-3900 is to add the below registry values. [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1. using powershell script i have created Wintrust & config folder and added EnableCertPaddingCheck"="1" , Is Reg_SZ type correct? {Default}-Reg_SZ also got created, will this create any issue.

Using the REG file examples a REG_SZ will be created by default so yes it would be correct. --please don't forget to upvote and Accept as answer if the reply is helpful--

These reg keys do not resolve this vulnerability. I am still waiting for Microsoft to provide an updated and working resolution.

On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1

Made the .reg from the entries below. Transferred it to the user's machine and ran. Waiting for SP360 to refresh and I'll verify the fix. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"

No problem with registry type DWORD. REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1 REG ADD “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1

CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability

Roger Roger 6,346

Hi All

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

To remediate the vulnerability CVE-2013-3900 is to add the below registry values.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1.
using powershell script i have created Wintrust & config folder and added EnableCertPaddingCheck"="1" , Is Reg_SZ type correct?
1. {Default}-Reg_SZ also got created, will this create any issue.

reg

Pete 51 Reputation points

2023-04-21T17:23:16.44+00:00
To be clear in the link provided https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900under the FAQ section there are Suggested Actions. Copy the text paste into a text file and save as SomeName.reg Be sure to copy the right text for either x64 or x32 machine. Export your registry, I would do it at the Software level, so you get both entries. Then double click on the .reg file and it will update the registry for you. Go into HKLM\Software\Microsoft\Cryptography and you should see the entry. Also check Wow6432Node. Restart your computer for it to take effect.
This is better than manually trying to enter the registry info. This is the x64 entry.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"
Ankita, Parab 45 Reputation points

2024-02-16T10:16:14.7833333+00:00

What is the impact of Registry changes apart from fixing vulnerability?

Accepted answer

Anonymous

2023-02-20T20:50:08.7933333+00:00

Using the REG file examples a REG_SZ will be created by default so yes it would be correct.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Please sign in to rate this answer.

9 people found this answer helpful.
Shamshad Ansari 0 Reputation points

2024-09-25T06:59:58.1133333+00:00

how to create the folder..Pls help
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

7 additional answers

Matt D. Sardi 35 Reputation points

2023-03-24T12:44:16.2033333+00:00

These reg keys do not resolve this vulnerability. I am still waiting for Microsoft to provide an updated and working resolution.
Please sign in to rate this answer.

4 people found this answer helpful.
Mohit Sharma 15 Reputation points

2023-04-04T13:19:53.8966667+00:00

Why do you think they don't? These reg keys have resolved this vulnerability for us and no longer appears in our vulnerability scanner.

Shijin Nath 6 Reputation points

2023-04-27T11:24:28.9133333+00:00

Impact of enabling the functionality change: Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

Microsoft does not have a permanent fix yet. The fix is suggested understanding the risk of going with it.

https://community.tenable.com/s/article/WinVerifyTrust-Signature-Validation-Mitigation-CVE-2013-3900

Brian Simpson 15 Reputation points

2023-07-07T22:21:07.63+00:00

Matt, actually worked for me.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Roger Roger 6,346 Reputation points

2023-02-21T04:50:24.7566667+00:00

On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1
Please sign in to rate this answer.

3 people found this answer helpful.
Anonymous

2023-02-21T13:36:42.0333333+00:00

Yes, you could create them.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Brian Simpson 15 Reputation points

2023-07-03T18:06:12.7966667+00:00

Made the .reg from the entries below. Transferred it to the user's machine and ran. Waiting for SP360 to refresh and I'll verify the fix.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"
Please sign in to rate this answer.

1 person found this answer helpful.
Brian Simpson 15 Reputation points

2023-07-07T22:16:28.49+00:00

Proved the fix.

Microsoft stated that they have re-published the CVE-2013-3900 to inform customers about the availability of EnableCertPaddingCheck. This behavior remains available as an opt-in feature via the registry key setting and is available on all supported editions of Windows released since December 10, 2013. 

Microsoft recommends that executable authors consider conforming all signed binaries to the new verification standard by ensuring that they contain no extraneous information in the WIN_CERTIFICATE structure. Microsoft also recommends that customers appropriately test this change to evaluate how it will behave in their environments.

Microsoft recommends that customers test how this change to Authenticode signature verification behaves in their environment before fully implementing it. To enable the Authenticode signature verification improvements, modify the registry to add the EnableCertPaddingCheck value as detailed below. 

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config "EnableCertPaddingCheck"="1" 

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config "EnableCertPaddingCheck"="1"

QID Detection Logic (Authenticated): 

This QID checks for the presence of these registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config and HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config, and checks whether the value 'EnableCertPaddingCheck' associated with these keys is set to 1. 

If these keys are missing or the value is not set to 1, then this QID gets reported as a vulnerability is several security monitoring programs, including SP360

"
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Fernando Palerosi Carneiro 5 Reputation points

2023-12-01T09:54:28.52+00:00

No problem with registry type DWORD.

REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1

REG ADD “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability

7 additional answers

Your answer