Critical Microsoft Code-Execution Vulnerability

A critical code-execution vulnerability in Microsoft Windows was patched in September. It seems that researchers just realized how serious it was (and is):

Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. The wormability of EternalBlue allowed WannaCry and several other attacks to spread across the world in a matter of minutes with no user interaction required.

But unlike EternalBlue, which could be exploited when using only the SMB, or server message block, a protocol for file and printer sharing and similar network activities, this latest vulnerability is present in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.

[…]

Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of “important.” In the routine course of analyzing vulnerabilities after they’re patched, Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue.

Tags: , , ,

Posted on December 22, 2022 at 7:01 AM3 Comments

Comments

Clive Robinson December 22, 2022 10:11 AM

@ ALL,

Whilst I can understand this,

“At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information.”

As you focus on what is infront of you when “under the gun”, it can lead to two major effects that people need to keep in their head,

1, Severity estimation is just that an estimation.

2, Vulnarabilites are seldom singltons or not built towards.

In this case we see the first effect, but it happens.

It’s the second effect we realy need to keep in mind like the old joke about how quickly a “mouse problem” becomes a “mice problem”.

These sorts of vulnerabilities are not “one bad line of code” they actually come about from the way people think about meeting requirments.

People tend to “fall into groves” we get told a problem, and rather than treat it as unique we mentally see it through our experience of previously problems. That is we almost work by analogy.

It’s why in part we have “classes of vulnerabilities” that contain several “instances of vulnerabilities”.

But such thinking is not constrained to a single piece of code… It happens in many pieces of code.

Thus expect to see another “instance” of vulnerability in this “class” in the not to distant future…

Clive Robinson December 22, 2022 10:48 AM

@ ALL,

I had a hunt around to see if I could find anything more usefull than,

“CVE-2022-37958 resides in the SPNEGO Extended Negotiation, a security mechanism abbreviated as NEGOEX that allows a client and server to negotiate the means of authentication. When two machines connect using Remote Desktop, for instance, SPNEGO allows them to negotiate the use of authentication protocols such as NTLM or Kerberos.”

Which suggests that it might be a “fall back” vulnarability where either end negotiates down to “insecure” (the sort of thing that makes Meet-in-The-Middle-Attacks so easy).

However I have not had success as there is no POC or similar around.

And…

IBM are not going to release further details until Q2-2023 so more than 100days away and could be closer to 200.

Oh and I would assume it is all versions of MS OS’s supported or otherwise going back as far as SPNEGO has been around which is RFC4178 of 2005 and came out of Sun.

Due to where it sits in the computing stack, RFC4178 effects many OS’s other than MS OS’s…

If, and we don’t know because they are not saying, this vulnerability is due to the protocol used in RFC4178 or the RFC4178 standard it’s self… Then we may find this vulnerability might be more wide spread as an issue…

Ted December 22, 2022 11:21 AM

In the run up to the holiday, it’s a wonderful reminder to apply patches throughout the year, and most judiciously upon their release.

IBM says they will refrain from releasing the vulnerability’s gory technical details until Q2 2023, so that everyone has time to apply the patches. (Purportedly there are no reports of it having been exploited in the wild, as of now.)

Tenable provides some additional links to SPNEGO NEGOEX for the preternaturally protocol-curious. Could be a worthwhile dog-ear for the holiday reading stack. 😄

https://www.tenable.com/blog/cve-2022-37958-faq-for-critical-microsoft-spnego-negoex-vulnerability

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.