SPNEGO Extended Negotiation Security Vulnerability

Microsoft has revised the severity of a security vulnerability it originally patched in September 2022, upgrading it to "Critical" after it emerged that it could be exploited to achieve remote code execution.

Tracked as CVE-2022-37958 (CVSS score: 8.1), the flaw was previously described as an information disclosure vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism.

SPNEGO, short for Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), is a scheme that allows a client and remote server to arrive at a consensus on the choice of the protocol to be used (e.g., Kerberos or NTLM) for authentication.

But a further analysis of the flaw by IBM Security X-Force researcher Valentina Palmiotti found that it could allow remote execution of arbitrary code, prompting Microsoft to reclassify its severity.

"This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide range of protocols," IBM said this week. "It has the potential to be wormable."

Specially, the shortcoming could enable remote code execution via any Windows application protocol that authenticates, including HTTP, SMB, and RDP. Given the criticality of the issue, IBM said it's withholding technical details until Q2 2023 to give organizations enough time to apply the fixes.

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

"Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability," Microsoft cautioned in its updated advisory.

"Unlike the vulnerability (CVE-2017-0144) exploited by EternalBlue and used in the WannaCry ransomware attacks, which only affected the SMB protocol, this vulnerability has a broader scope and could potentially affect a wider range of Windows systems due to a larger attack surface of services exposed to the public internet (HTTP, RDP, SMB) or on internal networks," IBM noted.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.