I have an IT department asking if they can put Windows Authenticode in place on the Sage server. I looked on my computer and I do not have the registry paths indicated. Has anyone run into this or issues?
Threat
Microsoft stated that they have re-published the CVE-2013-3900 to inform customers about the availability of EnableCertPaddingCheck. This behavior remains available as an opt-in feature via the registry key setting and is available on all supported editions of Windows released since December 10, 2013.
Microsoft recommends that executable authors consider conforming all signed binaries to the new verification standard by ensuring that they contain no extraneous information in the WIN_CERTIFICATE structure. Microsoft also recommends that customers appropriately test this change to evaluate how it will behave in their environments.
Microsoft recommends that customers test how this change to Authenticode signature verification behaves in their environment before fully implementing it. To enable the Authenticode signature verification improvements, modify the registry to add the EnableCertPaddingCheck value as detailed below.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config "EnableCertPaddingCheck"="1"
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config "EnableCertPaddingCheck"="1"
QID Detection Logic (Authenticated):
This QID checks for the presence of these registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config and HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config, and checks whether the value 'EnableCertPaddingCheck' associated with these keys is set to 1.
If these keys are missing or the value is not set to 1, then this QID gets reported.
Fix - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
------------------------------
[Michele] [Herzog] [CPA,CITP, CGMA]
[Overland Park] [KS]
[816-520-1365]
------------------------------