Published:2016/10/07  Last Updated:2016/10/07

JVN#20786316
Cryptography API: Next Generation (CNG) vulnerable to denial-of-service (DoS)

Overview

Cryptography API: Next Generation (CNG) contains a denial-of-service (DoS) vulnerability.

Products Affected

  • Cryptography API: Next Generation (CNG) in Windows 7 and earlier
According to the developer, CNG included in Windows 8 and later is not affected by this vulnerability.

Description

Cryptography API: Next Generation (CNG) contains an issue in BCryptDecrypt, which may result in a denial-of-service (DoS).

Impact

If CNG processes a specially crafted key data, the product may be terminated abnormally.

Solution

Upgrade Windows
According to the developer, CNG included in Windows 8 and later is not affected by this vulnerability.
Upgrade Windows to 8.1 or later.

The developer states the comment below:

The impact of this issue is limited. It could only result in a localized Denial of Service condition, at worst. This could not be exploited or code executed remotely.

The issue does not exist in Windows 8 and above. We recommend that customers upgrade their system to the supported version of Windows 8.1 or above.

Vendor Status

Vendor Status Last Update Vendor Notes
Microsoft Japan Co.,Ltd. Vulnerable 2016/10/07

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Base Score: 3.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:N/A:P
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

ASHINO, Yuki of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2016-000195