TL;DR If you run Windows Operating systems and have not yet installed September 2022 security updates you may be at risk. Here's what you need to know.
On September 13, 2022, Microsoft released software patches for a number of vulnerabilities, including one for SPNEGO NEGOEX (CVE-2022-37958). On December 13, 2022, Microsoft updated the max severity rating for this vulnerability to “Critical” after security researchers discovered the flaw could potentially allow attackers to achieve remote code execution through numerous common protocols on Windows systems. Technical details on the exploit haven’t been released and the full list of affected protocols is unknown.
If you’ve never heard of SPNEGO before, you’re in good company – allow us to break it down. The internet is filled with computers and servers all trying to communicate. How do these systems know who to trust? SPNEGO is just one of the many ways. Think of it like a structured conversation between a client (computer) and server to decide how to verify identities and confirm that the system and user are who they say they are. First, let’s define a couple of terms:
The Generic Security Service Application Program Interface (GSS-API) is a communication standard that allows a client and server to communicate securely. To continue our conversation analogy, think of GSS-API like a common language that both the client and server speak.
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) allows a client and remote server to negotiate and agree on the security protocol to be used for authentication.
You might notice that SPNEGO uses GSS-API in its name. That’s because SPNEGO uses the GSS-API communication standard. If GSS-API is the language then SPNEGO is the set of rules for how the conversation (negotiation) between client and server takes place.
Extended Negotiation (NEGOEX) security protocol is a Microsoft security mechanism negotiated by SPNEGO. When selected, NEGOEX extends the security features and capabilities of SPNEGO. For example, NEGOEX adds additional information about negotiated security mechanisms such as their configuration settings. For a more detailed discussion of NEGOEX, see here.
Who is Affected
Since the the the vulnerability may exist on numerous Windows protocols when SPNEGO authentication negotiation is in use, you should consider yourself affected if you meet the following criteria:
- If you are running a Windows operating system
- If you have not installed the Microsoft September 2022 security updates (or later)
Current information from security researchers suggests that the flaw in SPNEGO NEGOEX could allow an attacker to bypass authentication and gain remote code execution on systems using certain Windows protocols. Although a complete list is not yet known these may include:
- Server Message Block (SMB)
- Remote Desktop Protocol (RDP)
- HyperText Transfer Protocol (HTTP)
- Simple Message Transport Protocol (SMTP)
- Lightweight Directory Access Protocol (LDAP)
This vulnerability is reminiscent of the “EternalBlue” exploit leveraging CVE-2017-0144. This was widely exploited in wormable (self-spreading) WannaCry ransomware attacks using SMB. The present vulnerability may have a wider potential impact given that the flaw may be present in numerous Windows protocols. Many unpatched default configurations are likely vulnerable.
Security researchers at IBM who discovered the critical nature of the flaw are waiting until Q2 2023 to release technical details to give organizations time to patch. We strongly urge you not to wait and patch immediately.
Next steps for affected organizations:
- Immediately apply the Windows security updates. The fix was included in the September 2022 security updates and impacts all systems Windows 7 and newer.
- Review and minimize your internet exposure where possible. We recommend not leaving SMB and RDP open and visible to the public. Note that this is not a replacement for applying the security update, just a best practice.
- Install and monitor an Endpoint Detection and Response (EDR) solution on all endpoints throughout your network.
This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.