SOCRadar® Cyber Intelligence Inc. | Microsoft Reevaluates SPNEGO NEGOEX Vulnerability CVE-2022-37958 as Critical  
Table Of Content
Home

Resources

Blog
Dec 16, 2022
3 Mins Read

Microsoft Reevaluates SPNEGO NEGOEX Vulnerability CVE-2022-37958 as Critical  

Microsoft reassessed the severity score of a vulnerability fixed in September 2022 Patch Tuesday. The vulnerability, tracked as CVE-2022-37958, was previously identified as an information disclosure vulnerability and had a CVSS score of 7.5.

A researcher from IBM recently discovered CVE-2022-37958 could lead to remote code execution. Microsoft reevaluated the vulnerability afterward, earning a CVSS score of 8.1 and a “critical” classification.

IBM researcher tweets about CVE-2022-37958 (Source: Twitter)
IBM researcher tweets about CVE-2022-37958 (Source: Twitter

Potential Impact of CVE-2022-37958 

The security vulnerability affects SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. A client and a remote server can agree on which authentication protocol should be used (for instance, Kerberos or NTLM) by using SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism). 

CVE-2022-37958 is a “pre-authentication remote code execution vulnerability” with the potential to be wormable, according to IBM.

The firm compares CVE-2022-37958 to the CVE-2017-0144 vulnerability that WannaCry exploited in their attacks. It is detailed that the vulnerability in SPNEGO NEGOEX may affect a broader range of Windows systems because CVE-2017-0144 only affected SMB protocols, whereas CVE-2022-37958 affects SMB, HTTP, and RDP

How Does CVE-2022-37958 Work? 

An attacker must put in significant effort in preparation for an attack to succeed. To accomplish this, an attacker could:

  • Try to gather information about the target environment. 
  • Prepare the target environment to improve exploit reliability. 
  • Conduct a man-in-the-middle (MITM) attack in the logical network path, allowing them to interfere with network communications. 

Is There a Mitigation Available? 

Researchers have yet to provide additional explanations or technical details about the vulnerability to allow time for the updates to be applied.

Microsoft rolled out a patch for CVE-2022-37958 in the September 2022 Patch Tuesday. It is recommended to apply the patch as soon as possible. 

If you cannot apply the patch immediately, you should limit Windows authentication to Kerberos or Net-NTLM and remove “Negotiate” from the default option. 

The best practice is to continuously monitor your attack surface for these types of threats and to safeguard any services accessible via the internet. 

SOCRadar’s External Attack Surface Management assists you in discovering and actively protecting your digital assets with the attacker’s point of view against potential threats.

SOCRadar Attack Surface Management
SOCRadar Attack Surface Management

Visit Microsoft’s Update Guide for more information.

Related Articles
SOCRadar® Cyber Intelligence Inc. | Perfctl Campaign Exploits Millions of Linux Servers for Crypto Mining and Proxyjacking
Perfctl Campaign Exploits Millions of Linux Servers for Crypto Mining and Proxyjacking
Nov 25, 2024
SOCRadar® Cyber Intelligence Inc. | NodeStealer’s Evolution: A Growing Threat to Facebook Accounts and Beyond
NodeStealer’s Evolution: A Growing Threat to Facebook Accounts and Beyond
Nov 22, 2024
SOCRadar® Cyber Intelligence Inc. | Financial Software Company Finastra Investigates Recent Security Incident
Financial Software Company Finastra Investigates Recent Security Incident
Nov 21, 2024
SOCRadar® Cyber Intelligence Inc. | Privilege Escalation Risks in ‘needrestart’ Utility Threaten Linux Systems; OSS-Fuzz Finds 26 Hidden Flaws
Privilege Escalation Risks in ‘needrestart’ Utility Threaten Linux Systems; OSS-Fuzz Finds 26 Hidden Flaws
Nov 21, 2024
SOCRadar® Cyber Intelligence Inc. | Apple, Oracle, and Apache Issue Critical Updates for Actively Exploited and High-Risk Vulnerabilities
Apple, Oracle, and Apache Issue Critical Updates for Actively Exploited and High-Risk Vulnerabilities
Nov 20, 2024