Flash Notice: Critical Remote Code Execution Vulnerability Found in SPNEGO

overview

Note: This Flash Notice has been reissued due to an error in the CVE number in the original notice. The correct CVE number for this vulnerability is CVE-2022-37958.  

In September 2022, Microsoft issued a patch for a vulnerability found in the common Windows protocol SPNEGO NEGOEX. At the time, CVE-2022-37958 had a CVSS score of 3.1 and was not considered to be critical. However, Valentina Palmiotti, a security researcher from IBM’s X-Force Red team, recently discovered that the vulnerability could allow an attacker to remotely execute code, impacting a wide range of Windows systems.  

According to Microsoft, SPNEGO provides a negotiation mechanism for Generic Security Services (GSS) API (GSS-API). NEGOEX is a security mechanism negotiated by SPNEGO. CVE-2022-37958 is potentially wormable and could allow attackers to remotely execute arbitrary code by accessing the NEGOEX protocol via any Windows application protocol that authenticates by default – including but not limited to Remote Desktop Protocol (RDP) and Server Message Block (SMB). Simple Message Transport (SMTP) and Hyper Text Transfer Protocol (HTTP) are also impacted when SPNEGO is in use.  

Microsoft stated in their advisory that successful exploitation of CVE-2022-37958 requires an attacker to prepare the target environment to improve exploit reliability. Additionally, successful exploitation of the vulnerability does not require authentication or interaction by a victim on a targeted system.  As a result of this new information, Microsoft has upgraded CVE-2022-37958 to critical and it now has a CVSS score of 8.1.  

Since this vulnerability has a broad scope and impacts a wide range of Widows systems, it is highly recommended that users and administrators apply the appropriate patch immediately.  

How Avertium is Protecting Our CUSTOMERS

• Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you'll have no more blind spots, weak links, or fire drills.
• Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 

Avertium's recommendations    

• Avertium recommends that organizations follow Microsoft’s guidance for patching, which you may find here.  

• The patch was initially issued in September 2022 and still applies despite the upgraded rating. The patch impacts Windows 7 systems and newer.
    
• Avertium and IBM’s X-Force Red Team recommends the following:  

• • Review what services, such as SMB and RDP, are exposed to the internet. 
  • Continuous monitoring of your attack surface, including Microsoft IIS HTTP web servers that have Windows Authentication enabled. 
  • Limit Windows authentication providers to Kerberos or Net-NTLM and remove “Negotiate” as a default provider if the patch cannot be applied. 

INDICATORS OF COMPROMISE (IOCS):