Warning: CVE-2022-37958 critical pre-auth remote code execution vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, Patch ASAP
CVE-2022-37958:CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Successful exploitation of CVE-2022-37958 could give a remote unauthenticated attacker the capability to execute code on a vulnerable Windows system without requiring user interaction. The attack has a high complexity, an attacker needs to perform this attack multiple times to be successful, but it requires no privileges or user interaction. A successful attack has a high impact on all vertices of the CIA triad impacting Confidentiality, Integrity, and availability. IBM noted that the vulnerability has the potential to be wormable. CVE-2017-0144 (EternalBlue) was an infamous wormable vulnerability responsible for the worldwide spread of WannaCry. If CVE-2022-37958 obtains the wormable capability, it is possibly more severe than the EternalBlue vulnerability, based on the fact that SPNEGO NEGOEX affects multiple protocols, while EternalBlue affects only SMBv1.
The vulnerability tracked as CVE-2022-37958 was originally disclosed as an information disclosure vulnerability with a CVSS score of 7.5. This vulnerability was patched with the updates from Microsoft Patch Tuesday, September 2022.
Research from IBM X-Force disclosed that CVE-2022-37958 could lead to pre-auth remote code execution. Microsoft acknowledged the assessment and re-evaluated the vulnerability as a critical pre-auth remote code execution vulnerability with a CVSS score of 8.1.
The Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is an internet standard for negotiating which security mechanism to use when authentication between a client and server occurs. SPNEGO NEGOEX is an extended negotiation mechanism that enhances the older SPNEGO mechanism.
Microsoft’s Server Message Block (SMB) and Remote Desktop Protocol (RDP) use NEGOEX for authentication by default. Other protocols (e.g., HTTP) can also be configured to use NEGOEX.
CVE-2022-37958 does not require user authentication or interaction, and affects a wider range of protocols, IBM noted that the vulnerability has the potential to be wormable similar to CVE-2017-0144 (EternalBlue). EternalBlue was the vulnerability responsible for the worldwide spread of WannaCry.
To give Windows administrators a patch window to apply the patches, IBM will refrain from releasing the full technical details until Q2 2023.
The Centre for Cyber Security Belgium strongly recommends Windows system administrators to do the following:
- Create backups before proceeding to install Windows updates and test them after installation. There is always a chance that installing updates could break something, and the updated system needs to be rolled back to a previous state.
- Check whether your Windows systems have installed the updates from Microsoft Patch Tuesday September 2022:
- Prioritize checking externally exposed Windows Server systems, then proceed to check Windows Server systems that may not be externally exposed but perform a business-critical function. Check your non-critical Windows Servers last.
- Continue to check your fleet of Windows clients. Be sure to check Windows clients that are connected to the enterprise network but may not have auto-update capabilities enabled.
Additional recommendations from IBM X-Force Red include:
- Review what services, such as SMB and RDP, are exposed to the internet.
- Implement continuous monitoring of your attack surface, including Microsoft IIS HTTP web servers that have Windows Authentication enabled.
- Limit Windows authentication providers to Kerberos or Net-NTLM and remove “Negotiate” as a default provider if the patch cannot be applied. References (extra sources with information)