CVE-2013-3900
Published: 11 December 2013
Summary
CVE-2013-3900 is a medium-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 5.5 (Medium).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-14 (Signed Components).
Deeper analysis
A remote code execution vulnerability exists in the WinVerifyTrust function's handling of Windows Authenticode signature verification for portable executable (PE) files. The flaw affects supported releases of Microsoft Windows and stems from insufficient validation of certain file portions during signature checks, allowing modified signed executables to retain valid signatures despite containing injected code. Microsoft has republished the original 2013 CVE to clarify that the EnableCertPaddingCheck registry setting is available across all currently supported Windows 10 and Windows 11 editions, though the stricter verification behavior is not enabled by default.
An unauthenticated attacker can exploit the issue by crafting a signed PE file that leverages unverified sections to embed malicious payloads. Successful exploitation requires a user or application to run or install the file, after which the attacker can achieve complete system compromise, including installing programs, modifying data, or creating accounts with full privileges. The CVSS 3.1 score is 5.5, reflecting local attack vector, low complexity, and no privileges required but user interaction needed.
Microsoft security advisories state that mitigation is provided solely through the opt-in EnableCertPaddingCheck registry key, which has been supported since the December 2013 update and requires no additional security patch on Windows 10 or 11. The company does not plan to enforce stricter verification by default on supported platforms. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-3832
Vulnerability details
Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10…
more
and Windows 11. While the format is different from the original CVE published in 2013, except for clarifications about how to configure the EnableCertPaddingCheck registry value, the information herein remains unchanged from the original text published on December 10, 2013, Microsoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013. This includes all currently supported versions of Windows 10 and Windows 11. The supporting code for this reg key was incorporated at the time of release for Windows 10 and Windows 11, so no security update is required; however, the reg key must be set. See the Security Updates table for the list of affected software. Vulnerability Description A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an... See more at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements the EnableCertPaddingCheck registry setting that enforces stricter Authenticode padding validation and blocks the signature bypass.
Requires cryptographic verification of software integrity for PE files, which the WinVerifyTrust flaw undermines.
Mandates signature validation of executable components, directly addressing the Authenticode verification weakness.