SOCRadar® Cyber Intelligence Inc. | Microsoft Reevaluates SPNEGO NEGOEX Vulnerability CVE-2022-37958 as Critical  
Table Of Content
Home

Resources

Blog
Dec 16, 2022
3 Mins Read

Microsoft Reevaluates SPNEGO NEGOEX Vulnerability CVE-2022-37958 as Critical  

Microsoft reassessed the severity score of a vulnerability fixed in September 2022 Patch Tuesday. The vulnerability, tracked as CVE-2022-37958, was previously identified as an information disclosure vulnerability and had a CVSS score of 7.5.

A researcher from IBM recently discovered CVE-2022-37958 could lead to remote code execution. Microsoft reevaluated the vulnerability afterward, earning a CVSS score of 8.1 and a “critical” classification.

IBM researcher tweets about CVE-2022-37958 (Source: Twitter)
IBM researcher tweets about CVE-2022-37958 (Source: Twitter

Potential Impact of CVE-2022-37958 

The security vulnerability affects SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. A client and a remote server can agree on which authentication protocol should be used (for instance, Kerberos or NTLM) by using SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism). 

CVE-2022-37958 is a “pre-authentication remote code execution vulnerability” with the potential to be wormable, according to IBM.

The firm compares CVE-2022-37958 to the CVE-2017-0144 vulnerability that WannaCry exploited in their attacks. It is detailed that the vulnerability in SPNEGO NEGOEX may affect a broader range of Windows systems because CVE-2017-0144 only affected SMB protocols, whereas CVE-2022-37958 affects SMB, HTTP, and RDP

How Does CVE-2022-37958 Work? 

An attacker must put in significant effort in preparation for an attack to succeed. To accomplish this, an attacker could:

  • Try to gather information about the target environment. 
  • Prepare the target environment to improve exploit reliability. 
  • Conduct a man-in-the-middle (MITM) attack in the logical network path, allowing them to interfere with network communications. 

Is There a Mitigation Available? 

Researchers have yet to provide additional explanations or technical details about the vulnerability to allow time for the updates to be applied.

Microsoft rolled out a patch for CVE-2022-37958 in the September 2022 Patch Tuesday. It is recommended to apply the patch as soon as possible. 

If you cannot apply the patch immediately, you should limit Windows authentication to Kerberos or Net-NTLM and remove “Negotiate” from the default option. 

The best practice is to continuously monitor your attack surface for these types of threats and to safeguard any services accessible via the internet. 

SOCRadar’s External Attack Surface Management assists you in discovering and actively protecting your digital assets with the attacker’s point of view against potential threats.

SOCRadar Attack Surface Management
SOCRadar Attack Surface Management

Visit Microsoft’s Update Guide for more information.

Related Articles
SOCRadar® Cyber Intelligence Inc. | Hot Topic Data Breach: A Massive Leak Exposes Millions of Customer Records
Hot Topic Data Breach: A Massive Leak Exposes Millions of Customer Records
Nov 12, 2024
SOCRadar® Cyber Intelligence Inc. | MOVEit Data Leak Exposes Employee Data of Amazon, HSBC & More – What You Need to Know
MOVEit Data Leak Exposes Employee Data of Amazon, HSBC & More – What You Need to Know
Nov 12, 2024
SOCRadar® Cyber Intelligence Inc. | 489 Million Instagram Accounts Scraped and Listed for Sale on Dark Web
489 Million Instagram Accounts Scraped and Listed for Sale on Dark Web
Nov 11, 2024
SOCRadar® Cyber Intelligence Inc. | Critical Vulnerabilities in Cisco URWB and HPE Aruba Access Points (CVE-2024-20418, CVE-2024-42509)
Critical Vulnerabilities in Cisco URWB and HPE Aruba Access Points (CVE-2024-20418, CVE-2024-42509)
Nov 07, 2024
SOCRadar® Cyber Intelligence Inc. | SOCRadar Joins the Cyber Threat Alliance: Advancing Cybersecurity Through Collaboration
SOCRadar Joins the Cyber Threat Alliance: Advancing Cybersecurity Through Collaboration
Nov 07, 2024