Vulnerability Highlight
In December 2022, Microsoft reclassified a vulnerability (CVE-2022-37958) in the SPNEGO NEGOEX protocol as a critical Remote Code Execution (RCE) vulnerability. This reassessment was based on research by IBM Security researcher Valentina Palmiotti, who discovered that the vulnerability, which had originally been patched in September, may potentially allow RCE. As a result, Microsoft assigned the vulnerability a CVSSv3 score of 8.1 in its December 2022 Patch Tuesday release. Since both the SMB and RDP protocols use the NEGOEX security mechanism, the potential impact of this vulnerability is significant. Some researchers have even compared it to the EternalBlue vulnerability. It is important for organizations to apply the necessary patches as soon as possible to protect themselves from this vulnerability.
Background Information
The Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a security protocol developed by Microsoft that utilizes the GSS-API authentication mechanism. It is used when a client application wants to authenticate to a remote server, but both ends are unsure of the authentication protocol that the other supports. In this case, SPNEGO will be used to allow the client to send verifiable proof data to the server. The GSS-API is a set of word processing functions that includes both an application program interface and an access authentication method.
NEGOEX is an extended negotiation mechanism for SPNEGO (referred to as SPNEGO NEGOEX), which enhances the functionality of SPNEGO by providing a security mechanism that can be negotiated through SPNEGO. When SPNEGO selects the NEGOEX security mechanism, NEGOEX provides a method for selecting a common authentication protocol based on metadata (such as trust configurations). These protocols are commonly used to establish a secure connection between a web application and its client. The vulnerability lies in the way that SPNEGO NEGOEX handles specially crafted authentication requests, which could potentially allow an attacker to execute arbitrary code on a server hosting a vulnerable web application.
The vulnerability (CVE-2022-37958) affects Windows systems broadly, as the Server Message Block (SMB) and Remote Desktop Protocol (RDP) protocols both use NEGOEX for authentication by default, and the Simple Mail Transfer Protocol (SMTP) and HTTP protocols can be configured to use NEGOEX for authentication. This makes systems exposed to the internet, as well as those in an internal network environment, particularly vulnerable. For example, RDP allows a user to remotely connect and control another computer or device, while SMB is used for file sharing and other network services. If these protocols are not properly secured, attackers could potentially gain access to the network and cause significant damage. It is important to note that even systems within an internal network environment cannot be ignored, as they may still be exposed to this vulnerability.
Fortunately, the exploitability of this vulnerability (CVE-2022-37958) is known to be difficult, as there are no publicly available technical details or vulnerabilities, and there have been no reports of actual exploitation of this vulnerability. However, it is worth noting that according to IBM Security X-Force Red [2], this vulnerability may potentially be exploited by worms. In comparison to the EternalBlue vulnerability (CVE-2017-0144), which only affects SMBv1, the SPNEGO NEGOEX vulnerability has the potential to affect multiple protocols, making the potential risk much greater.
Security Recommendation
The patch released by Microsoft in December 2022 only made informational changes to the vulnerability (CVE-2022-37958), meaning that the patches released by Microsoft in September are still effective in protecting against this vulnerability. Therefore, if organizations have already deployed the September 2022 Patch Tuesday update, they are already protected against CVE-2022-37958. To further protect against this vulnerability, it is important for organizations to ensure that all affected Windows systems are regularly patched and updated. This will help prevent attackers from exploiting the vulnerability.
In addition to applying the necessary patches, organizations can also reduce the risk of attack by restricting access to the RDP and SMB ports, avoiding exposure of these services to the network, and restricting access to these high-risk services to only trusted users and devices. It is important for enterprises that have not yet applied the necessary patches to do so as soon as possible to protect against this vulnerability.
References
[1] MSRC Security Update Guide – “SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability”, Microsoft, Last updated: December 13, 2022.
[2] IBM X-Force – “Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism”, IBM, December 13, 2022.
