Internal NCryptDecrypt method could be used externally from WindowsHello library.

The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4.

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

使用候选路径或通道进行的认证绕过

WindowsHello open source library 加密问题漏洞

WindowsHello是一款用于与Windows Hello生物特征面部识别库一同使用的解锁开源库。 WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello) 1.0.4之前版本中存在加密问题漏洞。攻击者可利用该漏洞无需身份验证便可解密加密的数据。

N/A

N/A