Critical Windows code-execution vulnerability went undetected until now

Skull and crossbones in binary code

Researchers recently discovered a Windows code-execution vulnerability that has the potential to rival EternalBlue, the name of a different Windows security flaw used to detonate WannaCry, the ransomware that shut down computer networks across the world in 2017.

Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. The wormability of EternalBlue allowed WannaCry and several other attacks to spread across the world in a matter of minutes with no user interaction required.

But unlike EternalBlue, which could be exploited when using only the SMB, or server message block, a protocol for file and printer sharing and similar network activities, this latest vulnerability is present in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.

“An attacker can trigger the vulnerability via any Windows application protocols that authenticates,” Valentina Palmiotti, the IBM security researcher who discovered the code-execution vulnerability, said in an interview. “For example, the vulnerability can be triggered by trying to connect to an SMB share or via Remote Desktop. Some other examples include Internet exposed Microsoft IIS servers and SMTP servers that have Windows Authentication enabled. Of course, they can also be exploited on internal networks if left unpatched.”

Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed that the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of “important.” In the routine course of analyzing vulnerabilities after they’re patched, Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue.

CVE-2022-37958 resides in the SPNEGO Extended Negotiation, a security mechanism abbreviated as NEGOEX that allows a client and server to negotiate the means of authentication. When two machines connect using Remote Desktop, for instance, SPNEGO allows them to negotiate the use of authentication protocols such as NTLM or Kerberos.

CVE-2022-37958 allows attackers to remotely execute malicious code by accessing the NEGOEX protocol while a target is using a Windows application protocol that authenticates. Besides SMB and RDP, the list of affected protocols can also include Simple Message Transport Protocol (SMTP) and Hyper Text Transfer Protocol (HTTP) if SPNEGO negotiation is enabled.

One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA’s highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit.

Palmiotti said there is reason for optimism but also for risk. “While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time,” said Palmiotti. “As we’ve seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether.”