Welcome to deBUG.to Community where you can ask questions and receive answers from Microsoft MVPs and other experts in our community.
1 like 0 dislike
1.8k views
in Windows Server by 12 30 48

I got this WinVerifyTrust Signature Validation Vulnerability from a vulnerability scanner in SharePoint servers and other servers and its height Severity, which means it must solve.

Below are details of this vulnerability:

Plugin Name: 

  • WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (EnableCertPaddingCheck)

Plugin Output: 

  • Nessus detected the following potentially insecure registry key configuration:
Software\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck
Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck 

From the Plugin Output, it sounds like we need to add this key to the registry, but I can't find the path of this key in the registry.


1 Answer

1 like 0 dislike
by 12 30 48
selected by
 
Best answer

WinVerifyTrust Signature Validation

To close this vulnerability simply add a key to the registry EnableCertPaddingCheck and set it to 1 for the path you get from the Plugin Output.
The below Steps is the Solution for WinVerifyTrust Signature Validation Vulnerability:

1) Paste the below text to notepad or any text editor then save the file to .reg extension such as "WinVerifyTrust.reg"
For 32-bit:

Windows Registry Editor Version 5.00  
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
"EnableCertPaddingCheck"="1"  

For 64-bit:

Windows Registry Editor Version 5.00  
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] 
"EnableCertPaddingCheck"="1"

2) Run the file you created by double-clicking.

3) Check the two paths in the registry as shown in the image.
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config

You must reboot the server for your changes to take effect


References:

If you don’t ask, the answer is always NO!
...