Note: This Flash Notice has been reissued due to an error in the CVE number in the original notice. The correct CVE number for this vulnerability is CVE-2022-37958.
In September 2022, Microsoft issued a patch for a vulnerability found in the common Windows protocol SPNEGO NEGOEX. At the time, CVE-2022-37958 had a CVSS score of 3.1 and was not considered to be critical. However, Valentina Palmiotti, a security researcher from IBM’s X-Force Red team, recently discovered that the vulnerability could allow an attacker to remotely execute code, impacting a wide range of Windows systems.
According to Microsoft, SPNEGO provides a negotiation mechanism for Generic Security Services (GSS) API (GSS-API). NEGOEX is a security mechanism negotiated by SPNEGO. CVE-2022-37958 is potentially wormable and could allow attackers to remotely execute arbitrary code by accessing the NEGOEX protocol via any Windows application protocol that authenticates by default – including but not limited to Remote Desktop Protocol (RDP) and Server Message Block (SMB). Simple Message Transport (SMTP) and Hyper Text Transfer Protocol (HTTP) are also impacted when SPNEGO is in use.
Microsoft stated in their advisory that successful exploitation of CVE-2022-37958 requires an attacker to prepare the target environment to improve exploit reliability. Additionally, successful exploitation of the vulnerability does not require authentication or interaction by a victim on a targeted system. As a result of this new information, Microsoft has upgraded CVE-2022-37958 to critical and it now has a CVSS score of 8.1.
Since this vulnerability has a broad scope and impacts a wide range of Widows systems, it is highly recommended that users and administrators apply the appropriate patch immediately.