Hey everyone,
I'm reaching out because we're facing a bit of a challenge in our organization. Carbon Black is flagging a large number of our Windows devices (mostly running Windows 10, with a few on Windows 11) as having the critical CVE-2013-3900 vulnerability. I've followed Microsoft's guidelines and installed the required registry keys on a test machine:
1. Set the registry key at `HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyWintrustConfig` with "EnableCertPaddingCheck"=dword:1
2. Also set the same key at `HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftCryptographyWintrustConfig` with the same value.
However, even after running a new detection cycle, Carbon Black still reports that the vulnerability is present. I read that Microsoft changed their guidance from using STRING VALUE to DWORD for these keys.
So, my question is: Does anyone know how Carbon Black determines whether or not the vulnerability exists? Are they checking for the specific key "EnableCertPaddingCheck" or do they require an exact match to the entire key including the type? I'm considering updating my keys to STRING type and waiting to see if that helps. Any advice would be appreciated!
2 Answers
I ran into the same issue! I set up a Group Policy Object (GPO) to add those two keys automatically on all computers that authenticate, and after that, the detection issue was resolved for us.
Check this out – I was able to get it working using string values too. Here’s my setup: `New-itemproperty -propertytype string -name "enablecertpaddingcheck" -value 1`.
I opted for strings in my PowerShell scripts and it worked fine for me. Sometimes the type can really make a difference, so it's worth experimenting with.
Did you use DWORD as the type? Also, are you running Carbon Black on those systems?