Microsoft SPNEGO NEGOEX Vulnerability

Microsoft recently reclassified a vulnerability in SPNEGO NEGOEX (CVE-2022-37958) to a designation of “Critical” (maximum severity for their products): CVSS score 8.1. The CVE had previously been given a designation of “Important”: CVSS score of 7.5, but recent analysis of the patch identified that the vulnerability allowed remote code execution in a similar manner to EternalBlue. A fix, released as part of Microsoft’s Patch Tuesday roll-out of security fixes, has been available since September 2022. Organisations are advised to apply the patches as soon as possible.

CVE-2022-37958 is a remote code execution (RCE) vulnerability in the SPNEGO NEGOEX protocol of Windows operating systems, which supports authentication in applications. SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism and is an internet standard for negotiating which Generic Security Service Application Program Interface (GSSAPI) technology is used for authentication between a client and server.

NEGOEX is an extended negotiation mechanism for SPNEGO (SPNEGO NEGOEX) intended to enhance SPNEGO by addressing some of the drawbacks of SPNEGO while adding new GSSAPI extensions. According to IBM Security X-Force Red, it “has the potential to be wormable.” The Windows code-execution vulnerability has the potential to challenge the EternalBlue exploit, another Windows security flaw from 2017 that was used to detonate WannaCry ransomware.

While EternalBlue exploits a vulnerability only in Microsoft’s implementation of the Server Message Block (SMB) protocol or server message block (a protocol that serves for files and printer sharing and other network activities), the current vulnerability exists in a significantly wider range of protocols, allowing attackers a greater degree of flexibility than when exploiting EternalBlue. In practice, this vulnerability could potentially affect a much broader scope of Windows systems due to a larger attack surface of services exposed to the public internet (HTTP, RDP, SMB) or on internal networks.

This current code-execution vulnerability can allow an attacker to trigger the vulnerability via any Windows application protocols that authenticates, either when trying to connect to an SMB share or via Remote Desktop. Other examples of the exploitation included internet-exposed Microsoft IIS servers and SMTP servers that have Windows Authentication enabled; needless to say, these exploits could also be exploited on internal networks if left unpatched.

Microsoft patched CVE-2022-37958 as part of its September 2022 Patch Tuesday release. If the September 2022 Patch Tuesday updates have already been applied, then the devices are protected against this vulnerability. There are no reports of confirmed in-the-wild exploitation for CVE-2022-37958 at the time of releasing this blog.

ITC-TI analyst comment:
  • Due to the widespread use of SPNEGO, we strongly recommend that users and administrators apply the patch immediately to protect against all potential attack vectors. The fix is included in September 2022 security updates and impacts all systems Windows 7 and newer.  
  • Additional recommendations: Review what, if any, services, such as SMB and RDP, are exposed to the internet.Limit Windows authentication providers to Kerberos or Net-NTLM and remove “Negotiate” as a default provider if the patch cannot be applied.  
  • ITC will also be checking for exposed devices on Microsoft Defender for Endpoint and Qualys for each customer for whom we manage this service, and we will send out the findings by service request.  
  • For all other customers, we advise to check for exposed devices using vulnerability management tooling and apply the Microsoft patch September 2022 security update.