Flaw in SymCrypt Can Trigger DDoS

A vulnerability in the SymCrypt cryptographic library of Microsoft's OS can trigger a distributed denial-of-service (DDoS) disruption in Windows 8 servers and above, causing a perpetual operation "when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," according to Tavis Ormandy, a Google researcher. ��I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't,” Ormandy tweeted. Now that we’ve entered into the 91st day, Ormandy has gone public with what he said is a relatively low severity bug. “I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g., ipsec, iis, exchange, etc.) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock,” Ormandy wrote in the Project Zero vulnerability report.