3 months ago, on September 13, 2022, Microsoft flagged CVE-2022-37958, a vulnerability in the SPNEGO NEGOEX security mechanism in Windows that was initially granted a CVSS score of 7.5, and later was modified and assigned a CVSS score of 8.1 and critical maximum severity for their products.
As we’ll see below Microsoft first categorized the vulnerability as an information disclosure vulnerability. But last week, they realized the real impact of this vulnerability – RCE. This Windows code-execution vulnerability has the potential to challenge the EternalBlue exploit, another Windows security flaw from 2017 that was used to detonate WannaCry ransomware.
Here’s everything you need to know:
What is the CVE-2022-37958 vulnerability?
This Windows code-execution vulnerability has the potential to challenge the EternalBlue exploit, another Windows security flaw from 2017 that was used to detonate WannaCry ransomware.
As in EternalBlue’s case, CVE-2022-37958 allows attackers to execute malicious code with no authentication required. In addition, this vulnerability is wormable, meaning it may also allow a single exploit to trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems.
Important basic concepts – GSSAPI SPNEGO and NEGOEX
To better comprehend the vulnerability and its characteristics, let’s cover some basic concepts:
GSSAPI (Generic Security Service Application Programming Interface) consists of a set of libraries provided by security vendors that can be used to develop applications. The SPNEGO is a GSSAPI pseudo mechanism that negotiates the choice of security technology for client-server software. The mechanism is used whenever a client application wants to connect to a remote server, nevertheless, it does not know which authentication protocol is supported by the server.
In Windows, SPNEGO and NEGOEX are used to negotiate the use of security mechanisms for network communication between client and server applications. They are typically used in the context of the HTTP and SMB protocols and are often used to provide single sign-on (SSO) functionality for applications that use these protocols.
SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a security mechanism that enables a client to authenticate to a server using a variety of authentication methods, including Kerberos and NTLM. It allows a client to negotiate the use of a specific security mechanism with a server during the establishment of a network connection. There is a wide range of Microsoft Application Protocols that use SPNEGO, Among others are SMB/ CIFS (Common Internet File System), HTTP, CredSSP which is used by the RDP (Remote Desktop Protocol), Remote Procedure Call Extensions, and LDAP (Lightweight Directory Access Protocol).
NEGOEX (Negotiation Extensions) is an extension to the SPNEGO mechanism that provides additional flexibility and functionality for negotiating the use of security mechanisms. It enables the use of multiple authentication methods in a single negotiation and allows for the negotiation of multiple security contexts within a single connection. When the NEGOEX is enabled, an attacker can use any Windows application protocol that uses authentication and via the protocol, access the NEGOEX protocol and execute code remotely.
What’s the difference between CVE-2022-37958 and EternalBlue?
While EternalBlue exploits a vulnerability only in Microsoft’s implementation of the Server Message Block (SMB) protocol or server message block (a protocol that serves for files and printer sharing and other network activities), the current vulnerability exists in a significantly wider range of protocols, allowing attackers a greater degree of flexibility than when exploiting EternalBlue. In practice, this vulnerability could potentially affect a much broader scope of Windows systems due to a larger attack surface of services exposed to the public internet (HTTP, RDP, SMB) or on internal networks.
This current code-execution vulnerability can allow an attacker to trigger the vulnerability via any Windows application protocols that authenticates, either when trying to connect to an SMB share or via Remote Desktop. Other examples of the exploitation included Internet exposed Microsoft IIS servers and SMTP servers that have Windows Authentication enabled, needless to say these exploits could also be exploited on internal networks if left unpatched.
Only the SMB, or server message block
Can be triggered via any Windows application protocols that authenticates
Is it a 0-day?
Yes, Initially exploited by the NSA
No, this is an N-day with a 3-month patching lead-time
Is there a patch?
The NSA’s highly weaponized exploit was released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit with no available patches
Patch for CVE-2022-37958 has been available for three months
Does exploit require authentication?
Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required
Is it exposed to the internet?
Can be triggered by trying to connect to SMB share or via Remote Desktop. Other examples include Internet-exposed Microsoft IIS servers and SMTP servers with Windows Authentication enabled
Fix timeline – from “important” to “critical”
A fix for CVE-2022-37958 was published last September in Microsoft’s monthly Patch Tuesday security fixes report. However, at that point in time, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information, or in other words they thought it to be a “Read-only” vulnerability. Due to this assumption, the vulnerability was designated as “important” by Microsoft.
Sometime later, while analyzing vulnerabilities after they were patched, the IBM researcher discovered a significantly more severe scenario: The vulnerability allowed for remote code execution in a similar manner as did EternalBlue.
Following this discovery, on December 13th, Microsoft updated the vulnerability’s severity, impact, and CVSS rating, revising the designation from “Important” Information Disclosure to “Critical” Remote Code Execution and the vulnerability’s severity rating to 8.1, the exact same score that was given to EternalBlue. Also, on that same date, a proof of Concept (PoC) Exploitation of the vulnerability was published in a tweet by Red Hat security researcher Valentina Palmiotti which proved that the vulnerability can in fact lead to a Remote Code Execution. This seems to be the reason why Microsoft decided to reclassify the vulnerability.
Does CVE-2022-37958 affect me?
If your system is running on Windows, you will be affected by the vulnerability if the following conditions are met:
- You have client applications and server software using the SPNEGO and the NEGOEX mechanism is enabled.
- You do not have the Microsoft September patch installed (or later).
Nevertheless, there’s reason for optimism: While EternalBlue was a 0-Day, this is an N-Day vulnerability with a 3-month patching lead time. However, there are some organizations that have proven slow to deploy patches for several months or lack an accurate inventory of systems exposed to the internet. This may eventually lead to miss patching systems altogether.
How to fix CVE-2022-37958
In order to protect against all potential attack vectors, and due to the widespread use of SPNEGO, we strongly recommend that users and administrators immediately apply the patch. The fix is included in September 2022 security updates and impacts all systems Windows 7 and newer.
It is also recommended to perform a review of what services are exposed to the internet (such as SMB and RDP) and maintian continuous monitoring of your attack surface, including Microsoft IIS HTTP web servers that have Windows Authentication enabled.
Finally, in order to remediate the vulnerability, you should apply the latest Microsoft updates that have been released since the September 13th Microsoft patch.
Before you go
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Cyber risk in 2022- a 360° view report
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- How to properly tackle zero-day threats
- Threat intelligence frameworks in 2022
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.