As part of Microsoft’s September 2022 Security Update, Microsoft released security updates to remediate CVE-2022-37958–an information disclosure vulnerability in SPNEGO NEGOEX that impacted all Windows versions 7 or newer.
On December 13, Microsoft reclassified the vulnerability as Critical severity after security researchers discovered that the vulnerability could allow threat actors to remotely execute code pre-authentication. Security researchers have also stated that CVE-2022-37958 has the potential to be wormable.
SPNEGO is a mechanism used by client-server software to negotiate the choice of security technology to be used, such as Kerberos. SPNEGO has the potential to affect a wide range of protocols such as Server Message Block (SMB), Remote Desktop (RDP), Simple Message Transport Protocol (SMTP), Hyper Text Transfer Protocol (HTTP) etc. when SPNEGO authentication negotiation is enabled. Exploitation of this vulnerability could allow a threat actor to remotely execute arbitrary code by accessing the NEGOEX protocol via any Windows application protocol that authenticates.
The WannaCry ransomware attacks in 2017 leveraged a similar wormable vulnerability, ETERNALBLUE (CVE-2017-0144) in Windows SMBv1 and ultimately spread to more than 200,000 computers.
Artic Wolf Labs has not observed active exploitation or a proof-of-concept (PoC) exploit published for this vulnerability at this time. However, given the news of this new severity rating for CVE-2022-37958, we assess threat actors will focus their research efforts on developing a working exploit within the near term. Due to the potential for creating a wormable exploit, we assess that if available, a variety of threat groups would leverage exploits for CVE-2022-37958 to deploy malicious payloads, such as ransomware to multiple systems within a target network.
Recommendations For CVE-2022-37958
Recommendation #1: Apply Applicable Security Updates
Microsoft released security updates for all Windows products affected by CVE-2022-37958 as part of their September 2022 Patch Tuesday. Arctic Wolf strongly recommends reviewing the published security updates and applying all applicable security updates to impacted products within your environment.
Microsoft Security Update Guidance – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37958
Recommendation #2: Review Services Exposed to the Internet
Review and limit the exposure of services such as RDP or SMB to the public internet within your environment where possible.
