Everything you need to know about the SPNEGO NEGOEX CVE-2022-37958

CVE-2022-37958 is a vulnerability in the SPNEGO NEGOEX security mechanism in Windows released by Microsoft on the 13th of September 2022 with a CVSS score of 7.5.

However, on December 13th a few interesting events around the vulnerability occurred: 

• Microsoft released the following revision update: Updated the severity, impact, and CVSS rating from Important Information Disclosure to Critical Remote Code Execution.

• A proof of Concept (PoC) Exploitation of the vulnerability was published: The first PoC tweeted was by Valentina Palmiotti, known as chompie1337:

Apparently these events are connected to each other and the reason why Microsoft reclassified the vulnerability is because the Red Hat security researcher Valentina Palmiotti (chompie1337) proved that the vulnerability can lead to a Remote Code Execution.

To understand the vulnerability better, let’s cover some basic concepts.

GSSAPI

GSSAPI stands for Generic Security Service Application Programming Interface.

The GSSAPI is provided by security vendors in a form of libraries that can be used to develop an application. Every application that wants to use a security mechanism, will use a vendor independent GSSAP. Then, if it wants to replace the security implementation, it will need to be rewritten.

SPNEGO

SPENGO stands for Simple and Protected GSSAPI Negotiation Mechanism.

The SPNEGO is a GSSAPI pseudo mechanism that negotiates the choice of security technology for client-server softwares.

It is used when a client application wants to connect to a remote server, however, it does not know in which authentication protocol the server supports.

The SPNEGO determines what common GSSAPI are available in each side(the client and the server), selects one and then dispatches all further security operations to it.

The SPNEGO will only work if both server and client sides enabled the SPNEGO configuration and after setting the authentication, the SPNEGO will finish its work.

Microsoft Application Protocols that use SPNEGO

The list is not full and other protocols can be discovered that are using the SPNEGO mechanism.

• Common Internet File System (CIFS) / Server Message Block (SMB)
• HTTP
• CredSSP which is used by the Remote Desktop Protocol (RDP).
• Remote Procedure Call Extensions
• Lightweight Directory Access Protocol (LDAP)

SPNEGO NEGOEX

NEGOEX, which stands for Extended Negotiation, enhances the SPNEGO capabilities.

When NEGOEX is selected by SPNEGO, the process of the negotiation is not only based on the fact that both the client and the server supports the security mechanism, it adds a pair of meta-data messages for each negotiated security mechanism.

The meta-data contains information about the security mechanism’s trust configurations and thus the SPNEGO is more flexible when using the NEGOEX.

CVE-2022-37958

CVE-2022-37958 is a Critical pre-authentication Remote Code Execution vulnerability that impacts a wide range of protocols and can potentially be wormable.

When the NEGOEX is enabled, an attacker can use any Windows application protocol that uses authentication and via the protocol, access the NEGOEX protocol and execute code remotely.

The vulnerability is rated as Critical in all categories except for the “Exploit Complexity” which is rated as high due to the fact it takes few attempts to successfully exploit the vulnerability.

Am I Exploitable?

You will be affected by the vulnerability if the following conditions are met:

• Your system is running on Windows.
• You have client applications and server softwares that are using the SPNEGO and the NEGOEX mechanism is enabled.
• You do not have the Microsoft September patch installed (or later).

Remediation

In order to remediate the vulnerabilities, you should apply the latest Microsoft updates that have been released since the 13th of September. Here is the link to the September 13th Microsoft patch.