Critical Remote Code Banner

A critical remote code execution vulnerability has been discovered in the SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) extended negotiation security mechanism. This vulnerability, designated as CVE-2022-37958, has been rated as having a CVSS score of 10, the highest possible severity rating. Microsoft has previously patched the original vulnerability associated with this CVE (Information Disclosure/Low) on its September 13, 2022 Monthly Rollup and on December 13, 2022, the severity rating was raised to a High Severity.

SPNEGO is a security mechanism that is commonly used in web applications to negotiate the authentication and security protocols that will be used to establish secure connections between the web application and its clients. The vulnerability lies in the way that SPNEGO processes specially crafted authentication requests, which can allow an attacker to execute arbitrary code on the server hosting the vulnerable web application.

The risks to RDP and SMB are significant, as these protocols are commonly used in businesses and organizations. RDP allows users to remotely connect to and control another computer or device, while SMB is used for file sharing and other network services. If these protocols are not properly secured, an attacker could potentially gain access to a network and cause significant damage.

To protect against this vulnerability, it is important to ensure that all systems that use RDP and SMB are regularly patched and updated. This will help to prevent attackers from exploiting the vulnerability. In addition, it is important to use strong and unique passwords for RDP and SMB connections, and to regularly change these passwords to prevent unauthorized access.

It is also advised to use a virtual private network (VPN) when connecting to RDP, as this will help to encrypt the connection and protect against potential attacks. Additionally, limiting access to RDP and SMB ports and restricting access to only trusted users and devices can also help to reduce the risk of an attack.

The impact of this vulnerability is severe, as it can allow attackers to completely compromise the security of vulnerable web applications and gain full access to sensitive data and system resources. In addition, the vulnerability can be exploited remotely, meaning that attackers do not need to have any access to the network or physical access to the server in order to exploit it.

The vulnerability was discovered by Security Researcher Valentina Palmiotti after discovering the vulnerability could allow attackers to remotely execute code. Security researchers at the CERT Coordination Center (CERT/CC), who have released an advisory detailing the issue and providing guidance on how to mitigate it. In their advisory, CERT/CC recommends that organizations using vulnerable versions of SPNEGO should upgrade to a patched version as soon as possible.

In addition to patching the vulnerability, organizations should also take steps to protect themselves from potential attacks. This may include implementing network intrusion detection and prevention systems, monitoring network traffic for suspicious activity, and ensuring that web application firewalls are properly configured to block malicious traffic.

Overall, the discovery of this critical remote code execution vulnerability in SPNEGO highlights the need for organizations to keep their security systems up to date and to closely monitor their networks for potential threats. By taking these steps, organizations can help to protect themselves and their sensitive data from the risks posed by this and other vulnerabilities.

There are currently no publicly available exploits for this vulnerability and active exploitation has not been seen in the wild. Red Piranha is closely monitoring any further developments related to this vulnerability through our open and closed Intelligence sharing platforms and will provide additional advisories as necessary.

Date Published
December 14, 2022