App Control: Publisher Approvals With EnableCertPaddingCheck Enabled
Article ID: 291727
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Is there any compatibility issue with App Control when adding the registry keys for EnableCertPaddingCheck as outlined in CVE-2013-3900?
Environment
- App Control Agent: All Supported Versions
- App Control Console: All Supported Versions
- Microsoft Windows: All Supported Versions
Resolution
The Agent relies upon the Microsoft API (WinVerifyTrust) to validate certificates, and there are no compatibility concerns in adding the registry information to resolve the CVE.
Additional Information
- The Microsoft SignTool can be used to compare against Agent certificate analysis.
- There is no functionality built into App Control to modify the registry/patch against this CVE.
- Once analyzed, the Agent will not re-inspect the certificate data. The EnableCertPaddingCheck setting has to be set when the file is first written.
- Validate certs does not inspect the file itself, it checks the certificate and it's chain to root.
- Customers should follow Microsoft's guidance in addressing the CVE in their environment.
Feedback
Yes
No
Powered by
