Headline
CVE-2024-30098: Windows Cryptographic Services Security Feature Bypass Vulnerability
Are there any further actions I need to take to be protected from this vulnerability?
Yes. The Windows Smart Card infrastructure relies on the Cryptographic Service Provider (CSP) and Key Storage Provider (KSP) to isolate cryptographic operations from the Smart Card implementation. The KSP is part of the Crypto Next Generation (CNG) architecture and is intended to support modern smart cards. In the case of RSA based certificates, the Smart Card Certificate Propagation service automatically overrides the default and uses the CSP instead of the KSP. This limits usage to the cryptography provided by the CSP and does not benefit from the modern cryptography provided by the KSP.
Beginning with the July 2024 security updates released on July 9, 2024, this vulnerability will be addressed by removing the RSA override and using the KSP as the default. This change is initially disabled by default to allow customers to test it in their environment and to detect any application compatibility issues that might occur with this change. We intend to enable this change by default with a monthly security update in early 2025.
Please enable this fix and test applications in your environment that rely on RSA based certificates and smart cards. If you detect applications that rely on the old behavior of defaulting to the CSP, work with your application vendor to update the application so that the KSP can be used by default.
The fix can be enabled by setting the following registry key. Set the registry key to the value 1 to enable the fix for CVE-2024-30098.
Registry Subkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais
Key Value name
DisableCapiOverrideForRSA
Data Type
REG_DWORD
Data
Set to 1 to enable the fix for CVE-2024-30098 and set to 0 or remove the key to disable the fix.