Microsoft has recently escalated the severity rating of a previously patched security vulnerability from September 2022, now classifying it as “Critical.” This update follows findings that the vulnerability poses risks of remote code execution, significantly heightening its threat level.
Identified as CVE-2022-37958 with a CVSS score of 8.1, the issue was earlier viewed merely as an information disclosure vulnerability within the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism.
SPNEGO, or Simple and Protected GSSAPI Negotiation Mechanism, facilitates the agreement between a client and a remote server on which authentication protocol (like Kerberos or NTLM) to use. However, research by IBM Security X-Force has revealed that this vulnerability might allow remote execution of arbitrary code, prompting Microsoft to reassess its severity.
According to IBM, this vulnerability constitutes a pre-authentication remote code execution risk that affects numerous protocols, potentially being “wormable.” This means it could exploit any Windows application protocol that employs authentication, including HTTP, SMB, and RDP. Given the critical nature of the flaw, IBM has decided to withhold detailed technical information until Q2 2023 to grant organizations sufficient time to implement fixes.
Microsoft underscored the requirement for attackers to set up the target environment to enhance the reliability of their exploits. Unlike the known vulnerability, CVE-2017-0144, which led to the notorious WannaCry ransomware attacks and affected only the SMB protocol, this newly identified flaw has a broader impact, potentially compromising a larger array of Windows systems vulnerable due to a wider attack surface exposing services to the public internet.
In the context of the MITRE ATT&CK framework, this vulnerability may involve multiple tactics and techniques, including initial access, where attackers could exploit the flaw to breach systems, and privilege escalation, where the execution of arbitrary code could provide elevated permissions on compromised machines.
Organizations utilizing Microsoft technologies, particularly those relying on authentication mechanisms, should prioritize applying the necessary patches and updates to mitigate the risk posed by this critical vulnerability. Keeping software up to date is a key defense against evolving cyber threats.