SPNEGO Extended Negotiation Vulnerability

An information disclosure vulnerability was patched by Microsoft in September 2022 which has been found in SPNEGO NEGOEX and this flaw was tracked as CVE-2022-37958.

While this vulnerability was reclassified as a “Critical” vulnerability by Microsoft on December 13th. The issue arose as soon as it became evident that remote code execution could be achieved through the exploit of this vulnerability.

EHA

Using SPNEGO, a client and a remote server are able to reach a consensus over the protocol to be used to authenticate the connection by agreeing on the protocol to be used.

Moreover, this vulnerability affects a wide variety of protocols as it is a pre-authentication RCE vulnerability, and not only that even there is a possibility that it can be wormed.

The vulnerability was reclassified as severe after IBM Security X-Force researcher, Valentina Palmiotti discovered that it was remotely exploitable.

Flaw Profile

  • CVE ID: CVE-2022-37958
  • Description: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
  • Severity: Critical
  • CVSS Score: 8.1
  • Released: Sep 13, 2022
  • Last updated: Dec 13, 2022

This vulnerability could facilitate RCE through any Windows application protocol involving authentication and here below we have mentioned the protocols:-

  • HTTP (Hyper Text Transfer Protocol)
  • SMB (Server Message Block)
  • RDP (Remote Desktop Protocol)
  • SMTP (Simple Message Transport Protocol)

To give organizations enough time to apply the fixes that have been proposed, IBM said it would withhold technical details about the issue until Q2 2023 due to the severity of the problem.

There is no need for a victim to interact with a target system or authenticate themselves prior to being exposed to this vulnerability.

This reclassification was in accordance with X-Force Red’s responsible disclosure policy in which the company collaborated with Microsoft.

Recommendations

SPNEGO is widely used by users and administrators around the world, and for this reason, it is strongly recommended that you apply the patch as soon as possible.

This fix has been incorporated into the September 2022 security update and is applicable to all Windows 7 and newer operating systems.

X-Force Red’s recommendations include the following points:-

  • It is important to review the services that are exposed to the internet, including SMB and RDP.
  • Keeping an eye on the attack surface of your organization on a continuous basis.
  • Be sure to keep an eye on all Microsoft IIS HTTP web servers that are configured to use Windows authentication.
  • Ensure that only Kerberos or Net-NTLM are available as Windows authentication providers.
  • If you are unable to apply the patch, remove “Negotiate” as a default provider.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.