PSSecurityUtils

0.2.0

Public/Enable-WinVerifyTrustMitigation.ps1

                                function Enable-WinVerifyTrustMitigation {

    <#

    .SYNOPSIS

        Mitigates CVE-2013-3900 by enabling certificate padding checks in WinVerifyTrust.

    .DESCRIPTION

        Creates the Wintrust\Config registry key and sets EnableCertPaddingcheck to 1 in both

        the 64-bit and 32-bit (Wow6432Node) hives, requiring Windows to enforce strict PE

        signature padding validation and preventing attackers from appending malicious content

        to signed executables without invalidating the signature.

        A system restart is required for the change to take effect.

    .INPUTS

        None. Parameters must be supplied directly.

    .OUTPUTS

        None.

    .PARAMETER ComputerName

        The target computer. Defaults to the local machine.

    .PARAMETER Force

        Restarts the computer immediately after applying the change.

    .EXAMPLE

        Enable-WinVerifyTrustMitigation

        Applies the CVE-2013-3900 mitigation on the local machine and warns that a restart is needed.

    .EXAMPLE

        Enable-WinVerifyTrustMitigation -ComputerName 'Server01' -Force

        Applies the mitigation on Server01 and restarts it immediately.

    .NOTES

        Requires Administrator privileges.

        Mitigates CVE-2013-3900. See https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

        Remote operations require WinRM to be configured on the target machine.

    #>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]

    [OutputType([void])]

    param (

        [Parameter(Mandatory = $false)]

        [string]$ComputerName = $env:COMPUTERNAME,

        [Parameter(Mandatory = $false)]

        [switch]$Force

    )

    $isLocal = ($ComputerName -ieq $env:COMPUTERNAME) -or

               ($ComputerName -ieq 'localhost') -or

               ($ComputerName -eq '127.0.0.1')

    if ($PSCmdlet.ShouldProcess($ComputerName, 'Set EnableCertPaddingcheck = 1 in Wintrust\Config (64-bit and 32-bit)')) {

        $work = {

            New-Item -Path 'HKLM:\SOFTWARE\Microsoft\Cryptography\Wintrust'               -Force | Out-Null

            New-Item -Path 'HKLM:\SOFTWARE\Microsoft\Cryptography\Wintrust\Config'        -Force | Out-Null

            New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Cryptography\Wintrust\Config' `

                -Name 'EnableCertPaddingcheck' -Value 1 -PropertyType DWord -Force | Out-Null

            New-Item -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust'               -Force | Out-Null

            New-Item -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config'        -Force | Out-Null

            New-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config' `

                -Name 'EnableCertPaddingcheck' -Value 1 -PropertyType DWord -Force | Out-Null

        }

        if ($isLocal) {

            & $work

        } else {

            Invoke-Command -ComputerName $ComputerName -ScriptBlock $work

        }

        Write-Verbose "CVE-2013-3900 (WinVerifyTrust) mitigation applied on '$ComputerName'."

        Write-Warning "A system restart is required for changes to take effect."

        if ($Force -and $PSCmdlet.ShouldProcess($ComputerName, 'Restart computer to apply changes')) {

            Restart-Computer -ComputerName $ComputerName -Force

        }

    }

}