Hi All https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 To remediate the vulnerability CVE-2013-3900 is to add the below registry values. [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1. using powershell script i have created Wintrust & config folder and added EnableCertPaddingCheck"="1" , Is Reg_SZ type correct? {Default}-Reg_SZ also got created, will this create any issue.

Using the REG file examples a REG_SZ will be created by default so yes it would be correct. --please don't forget to upvote and Accept as answer if the reply is helpful--

No problem with registry type DWORD. REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1 REG ADD “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1

According to this article: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098 Windows server 2016, 2019 and 2022 are not in the list of affected products. So, I still need to apply remediation steps on windows server 2016, 2019 and 2022 for CVE-2013-3900 vulnerability ? Waiting for your prompt response

CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability

Roger Roger 4,951

Hi All

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

To remediate the vulnerability CVE-2013-3900 is to add the below registry values.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1.
using powershell script i have created Wintrust & config folder and added EnableCertPaddingCheck"="1" , Is Reg_SZ type correct?
1. {Default}-Reg_SZ also got created, will this create any issue.

reg

Pete 41 Reputation points

2023-04-21T17:23:16.44+00:00
To be clear in the link provided https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900under the FAQ section there are Suggested Actions. Copy the text paste into a text file and save as SomeName.reg Be sure to copy the right text for either x64 or x32 machine. Export your registry, I would do it at the Software level, so you get both entries. Then double click on the .reg file and it will update the registry for you. Go into HKLM\Software\Microsoft\Cryptography and you should see the entry. Also check Wow6432Node. Restart your computer for it to take effect.
This is better than manually trying to enter the registry info. This is the x64 entry.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"
Ankita, Parab [ INDEC-INFRA ] 20 Reputation points

2024-02-16T10:16:14.7833333+00:00

What is the impact of Registry changes apart from fixing vulnerability?

Accepted answer

Dave Patrick 426.1K Reputation points MVP

2023-02-20T20:50:08.7933333+00:00

Using the REG file examples a REG_SZ will be created by default so yes it would be correct.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Please sign in to rate this answer.

7 people found this answer helpful.

0 comments No comments
Sign in to comment

6 additional answers

Fernando Palerosi Carneiro 0 Reputation points

2023-12-01T09:54:28.52+00:00

No problem with registry type DWORD.

REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1

REG ADD “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Rafid PBICL 0 Reputation points

2024-05-02T06:25:22.17+00:00

According to this article: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098

Windows server 2016, 2019 and 2022 are not in the list of affected products.

So, I still need to apply remediation steps on windows server 2016, 2019 and 2022 for CVE-2013-3900 vulnerability ?

Waiting for your prompt response
Please sign in to rate this answer.

0 comments No comments
Sign in to comment