In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code.

The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide range of protocols. It has the potential to be wormable.

The vulnerability could allow attackers to remotely execute arbitrary code by accessing the NEGOEX protocol via any Windows application protocol that authenticates, such as Server Message Block (SMB) or Remote Desktop Protocol (RDP), by default. This list of affected protocols is not complete and may exist wherever SPNEGO is in use, including in Simple Message Transport Protocol (SMTP) and Hyper Text Transfer Protocol (HTTP) when SPNEGO authentication negotiation is enabled, such as for use with Kerberos or Net-NTLM authentication.

Unlike the vulnerability (CVE-2017-0144) exploited by EternalBlue and used in the WannaCry ransomware attacks, which only affected the SMB protocol, this vulnerability has a broader scope and could potentially affect a wider range of Windows systems due to a larger attack surface of services exposed to the public internet (HTTP, RDP, SMB) or on internal networks. This vulnerability does not require user interaction or authentication by a victim on a target system.

Microsoft has classed this vulnerability as “Critical,” with all categories rated at a maximum severity with the exception of “Exploit Complexity,” which is rated High, as it may require multiple attempts for successful exploitation. This brings the overall CVSS 3.1 score to “8.1.” Unpatched systems with the default configuration are vulnerable.

As part of its responsible disclosure policy, X-Force Red has worked with Microsoft on this reclassification. In order to give defenders time to apply the patches, IBM will refrain from releasing full technical details until Q2 2023.

Recommendations

Due to the widespread use of SPNEGO, we strongly recommend that users and administrators apply the patch immediately to protect against all potential attack vectors. The fix is included in September 2022 security updates and impacts all systems Windows 7 and newer.

Additional recommendations from X-Force Red include:

• Review what services, such as SMB and RDP, are exposed to the internet.
• Continuous monitoring of your attack surface, including Microsoft IIS HTTP web servers that have Windows Authentication enabled.
• Limit Windows authentication providers to Kerberos or Net-NTLM and remove “Negotiate” as a default provider if the patch cannot be applied.

Learn more about IBM X-Force Red Adversary Simulation Services here.

Schedule a consult with X-Force here.