Written by Mark Stueck of the Kudelski Security Threat Detection & Research Team
On Tuesday, December 13th, Microsoft reclassified a previously acknowledged information disclosure vulnerability (CVE-2022-37958) in the SPNEGO Extended Negotiation Security Mechanism (NEGOEX) designed to allow a client and server to negotiate which security mechanisms to use as Critical (8.1), following the discovery that the vulnerability could also lead to pre-authenticated remote code execution (RCE) by security researchers at IBM Security X-Force.
Due to both the widespread usage of Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) to negotiate authentication mechanisms for a broad range of Microsoft Windows services, the scope of this vulnerability is of significant concern. Adversaries could potentially execute arbitrary code by leveraging the NEGOEX protocol through any existing Microsoft application protocol used for authentication, such as SMB, RDP, and even IIS HTTP web servers that have Windows Authentication enabled.
Additional protocols may be impacted by this vulnerability, due to reliance on SPNEGO authentication negotiation, such as SMTP. Research also indicates that CVE-2022-37958 may be “wormable”, meaning it does not require user interaction or authentication to a target system. This puts both public-facing services and internal networks at increased risk of exploitation and compromise.
A patch for CVE-2022-37958 was originally released by Microsoft in September 2022 and remains the supported and recommended solution, despite recent findings by IBM Security X-Force and reclassification by Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37958
Due to the potential for exploitation and abuse of this vulnerability (including the fact that it may be “wormable”) Kudelski Security strongly recommends that organizations validate that they applied Microsoft’s September 2022 patches to properly mitigate this vulnerability as soon as possible. While there are no current public Proof of Concept (PoC) exploits, Kudelski Security expects threat actors to attempt abuse in the coming weeks.
On Tuesday evening (UTC), a Proof-of-Concept (PoC) video surfaced on Twitter (https://twitter.com/chompie1337/status/1602757336908660736?s=20&t=Bwn3jV5oeB4kqamoFxptKQ) from a X-Force Security Researcher, showing what appears to be successful exploitation of CVE-2022-37958 against a Windows 10 system, causing a crash of the LSA Service.
Security Researchers at IBM Security’s X-Force Labs are currently safeguarding detailed information surrounding the PoC code, script, and associated output to allow organizations’ security and network teams ample time to patch.
Affected Systems and/or Applications
SPNEGO is a common Windows-based application authentication protocol negotiation system in many applications. Therefore, a significant amount Windows products could be directly impacted if SPNEGO protocol authentication negotiation is being used:
- Windows Server 2012 R2 & Server core
- Windows Server 2012 & Server Core
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 & Server Core
- Windows RT 8.1
- Windows 8.1 for x64-based & 32-bit systems
- Windows 7 for x64-based & 32-bit Systems (Service Pack 1)
- Windows Server 2016 & Server Core
- Windows 10 Version 1607 for x64-based & 32-bit Systems
- Windows 10 for x64-based & 32-bit Systems
- Windows 10 Version 21H2 for 32-bit, x64-based, and ARM64-based Systems
- Windows 11 for x64-based & ARM64-based Systems
- Windows 10 Version 20H2 for 32-bit, x64-based, and ARM64-based Systems
- Windows Server 2022 Datacenter: Azure Edition
- Windows Server 2022 & Server Core
- Windows 10 Version 21H1 for 32-bit, x64-based, and ARM64-based systems
- Windows Server 2019 & Server Core
- Windows 10 Version 1809 for 32-bit, x64-based, and ARM64-based Systems
Threat Actor Post Exploitation Activity
Successful exploitation of this vulnerability for Remote Code Execution can grant users access to a Windows computer with “SYSTEM” privileges, enabling attackers to deploy malicious implants and post-exploitation tooling. Attackers may also attempt to make a “worm” that exploits this vulnerability to spread.
Security updates released by Microsoft on September 13, 2022, are still effective in mitigating this issue in vulnerable systems. Kudelski Security recommends identifying, validating, and implementing a security update for any affected systems as soon as possible.
A detailed chart indicating which knowledge base should be applied depending on the impacted product can be found here:
Temporary workarounds and mitigations
Until more information surrounding Proof of Concept (PoC) exploit or detection observables are released, patching remains the most effective and recommended solution by Kudelski Security. However, there are some additional steps that can be taken to reduce and mitigate risk while patching occurs:
Review any public-facing services, such as RDP and SMB, IIS (with Windows Authentication) and ensure that remote connections require strong and unique passwords. Be sure to regularly change and update these credentials, in alignment with security best practices.
If possible, adjust Windows authentication configurations to limit authentication to Kerberos or Net-NTLM (although Kerberos should be strongly preferred) and remove “Negotiate” as a default provider.
Organizations looking to detect potential exploitation should consider looking for excessive negotiation protocol requests (likely as part of heap grooming) and potentially the lsass.exe process crashing – generating a Windows Event with ID 5000 and “LsaSrv” provider name.
Kudelski Security would like to thank Valentina Palmiotti from IBM X-Force Red for her assistance and collaboration in investigating potential detection methodologies.
What the Cyber Fusion Center is doing
The CFC is creating a threat hunt campaign designed to identify successful exploitation of this vulnerability, using internal queries and methodology resourced from Incident Response engagements where similar activity was observed.
The CFC is also coordinating with our vulnerability scanning partner to deploy plugins capable of identifying unpatched systems and assets vulnerable to CVE-2022-37958. Once available, organizations with the CFC’s Vulnerability Scanning service will be able to validate using the results from the scan.