10-Year-Old Windows Vulnerability Exploited in 3CX Attack

March 31, 2023

A 10-year-old Windows vulnerability, CVE-2013-3900, continues to be exploited in attacks, making it appear that executables are legitimately signed. The fix from Microsoft remains 'opt-in' after all these years and is removed after upgrading to Windows 11. Recently, VoIP communications company 3CX was compromised in a large-scale supply chain attack, involving trojanized versions of its Windows desktop application. Two DLLs used by the application were replaced with malicious versions that downloaded additional malware, such as an information-stealing trojan. One of these malicious DLLs, d3dcompiler_47.dll, was usually a legitimate DLL signed by Microsoft but was modified by the threat actors to include an encrypted malicious payload. Despite the file being modified, Windows still showed it as correctly signed by Microsoft.

The DLL is exploiting the CVE-2013-3900 flaw, a 'WinVerifyTrust Signature Validation Vulnerability.' Microsoft first disclosed this vulnerability on December 10th, 2013, and explained that adding content to an EXE's authenticode signature section (WIN_CERTIFICATE structure) in a signed executable is possible without invalidating the signature. Will Dormann, a senior vulnerability analyst at ANALYGENCE, explained in tweets that the Google Chrome installer adds data to the Authenticode structure to determine if users opted into 'sending usage statistics and crash reports to Google.' Microsoft decided to make the fix optional, likely because it would invalidate legitimate, signed executables that stored data in the signature block of an executable.

Microsoft's disclosure for the CVE-2013-3900 states, 'On December 10, 2013, Microsoft released an update for all supported releases of Microsoft Windows that changes how signatures are verified for binaries signed with the Windows Authenticode signature format. This change can be enabled on an opt-in basis.' Almost a decade later, the vulnerability is still being exploited by numerous threat actors, but the fix remains opt-in and can only be enabled by manually editing the Windows Registry. Even if users apply the fix, it will be removed once they upgrade to Windows 11, making their devices vulnerable again.

Recent attacks, such as the 3CX supply chain and a Zloader malware distribution campaign in January, show that this vulnerability should be fixed, even if it inconveniences developers. Unfortunately, most people are unaware of this flaw and may assume malicious files are trustworthy because Windows reports them as being so. Dormann warned, 'But when a fix is optional, the masses aren't going to be protected.' Although the optional fix may cause issues with some installers, the added protection is worth the inconvenience.

Latest News

• Microsoft Fixes 'Hazardous' RCE Vulnerability in Azure Cloud Service
• Malware Botnets Actively Exploit Realtek and Cacti Vulnerabilities
• Critical IBM File Transfer Bug Targeted by Cybercriminals: Patch Urgently Required
• Google TAG Exposes Exploit Chains Used to Install Commercial Spyware
• Crown Resorts Investigates Cl0p Ransomware Group's Data Theft Claims