Hi All https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 To remediate the vulnerability CVE-2013-3900 is to add the below registry values. [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1. using powershell script i have created Wintrust & config folder and added EnableCertPaddingCheck"="1" , Is Reg_SZ type correct? {Default}-Reg_SZ also got created, will this create any issue.

Using the REG file examples a REG_SZ will be created by default so yes it would be correct. --please don't forget to upvote and Accept as answer if the reply is helpful--

No problem with registry type DWORD. REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1 REG ADD “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1

CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability

Roger Roger 5,006

Hi All

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

To remediate the vulnerability CVE-2013-3900 is to add the below registry values.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1.
using powershell script i have created Wintrust & config folder and added EnableCertPaddingCheck"="1" , Is Reg_SZ type correct?
1. {Default}-Reg_SZ also got created, will this create any issue.

reg

Pete 41 Reputation points

2023-04-21T17:23:16.44+00:00
To be clear in the link provided https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900under the FAQ section there are Suggested Actions. Copy the text paste into a text file and save as SomeName.reg Be sure to copy the right text for either x64 or x32 machine. Export your registry, I would do it at the Software level, so you get both entries. Then double click on the .reg file and it will update the registry for you. Go into HKLM\Software\Microsoft\Cryptography and you should see the entry. Also check Wow6432Node. Restart your computer for it to take effect.
This is better than manually trying to enter the registry info. This is the x64 entry.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"
Ankita, Parab [ INDEC-INFRA ] 25 Reputation points

2024-02-16T10:16:14.7833333+00:00

What is the impact of Registry changes apart from fixing vulnerability?

Accepted answer

Dave Patrick 426.3K Reputation points MVP

2023-02-20T20:50:08.7933333+00:00

Using the REG file examples a REG_SZ will be created by default so yes it would be correct.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Please sign in to rate this answer.

8 people found this answer helpful.

0 comments No comments
Sign in to comment

6 additional answers

Brian Simpson 10 Reputation points

2023-07-07T22:22:32.6766667+00:00
Make the .reg from the entries below.

Transfer it to the user's machine and run.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"
Please sign in to rate this answer.
BradH2000 0 Reputation points

2023-07-14T14:36:38.2033333+00:00

Would it have any negative effects to go ahead and add both entries x32/x64 to a x64 system? It would be easier to create a single .reg file and add everywhere.

Also our scanner is reporting a couple of 2012r2 servers. I'm guessing that the answer didn't include 2012r2 because it's EOL?
Sign in to comment
Fernando Palerosi Carneiro 0 Reputation points

2023-12-01T09:54:28.52+00:00

No problem with registry type DWORD.

REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1

REG ADD “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config” /v EnableCertPaddingCheck /t REG_DWORD /d 1
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability

6 additional answers