SPNEGO Extended Negotiation Security Mechanism has a serious remote code execution flaw.

SPNEGO Extended Negotiation Security Mechanism has a serious remote code execution flaw.

Microsoft addressed an information disclosure vulnerability in SPNEGO NEGOEX in September 2022. (CVE-2022-37958). After IBM Security X-Force Red Security Researcher Valentina Palmiotti uncovered the vulnerability, which might allow attackers to remotely execute code, Microsoft classed it as “Critical” on December 13.

The flaw exists in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the security mechanism to be used. This is a pre-authentication remote code execution vulnerability that affects a wide range of protocols. It has the capability of being wormable.

By accessing the NEGOEX protocol via any Windows application protocol that authenticates, such as Server Message Block (SMB) or Remote Desktop Protocol (RDP), attackers might remotely execute arbitrary code.

This list is not exhaustive, as SPNEGO may be present everywhere SPNEGO is used, including in Simple Mail Transfer Protocol (SMTP) and Hyper Text Transfer Protocol (HTTP) when SPNEGO authentication negotiation is enabled, such as for use with Kerberos or Net-NTLM authentication.

This vulnerability has a greater scope and could possibly infect a wider variety of Windows computers due to a bigger attack surface of services exposed to the public internet (HTTP, RDP, SMB), or on internal networks, as opposed to the vulnerability (CVE-2017-0144) exploited by EternalBlue and used in the WannaCry ransomware attacks, which only affected the SMB protocol. This vulnerability does not require human interaction or authentication by a victim on a target system.

Microsoft has categorised this vulnerability as “Critical,” with all areas rated at a maximum severity with the exception of “Exploit Complexity,” which is rated High, as it may require numerous tries for successful exploitation. This brings the overall CVSS 3.1 score to “8.1.” Unpatched systems with the default setup are susceptible.

X-Force Red and Microsoft collaborated on this reclassification as part of their responsible disclosure policy. In order to allow defenders time to implement the updates, IBM will abstain from providing detailed technical specifics until Q2 2023.

X-Force Red Recommendations

We highly advise users and administrators to deploy the patch right away in order to protect themselves against all potential attack vectors due to the extensive use of SPNEGO. The fix is included in September 2022 security updates and touches all systems Windows 7 and newer.

  • Check the services that are accessible via the internet, such as RDP and SMB.
  • Monitoring of your attack surface on a continuous basis, including Microsoft IIS HTTP web servers with Windows Authentication enabled.
  • If the patch cannot be implemented, restrict Windows authentication providers to Kerberos or Net-NTLM and delete “Negotiate” as a default provider.

Protect Your Valuable Information Against Data Infringement with us. Visit our Cyber Security Consulting Expert