A recently discovered security vulnerability at SPNEGO Extended Negotiation (NEGOEX) will result in remote code execution at the windows systems, this vulnerability has been tracked under CVE-2022-37958 with the CVSS score of 10.
The vulnerability was discovered by Security Researcher Valentina Palmiotti
Working of SPNEGO:
SPNEGO → Simple and Protected GSS-API Negotiation Mechanism
SPNEGO is used when a client application wants to authenticate to a remote server, SPNEGO authentication is a server-side solution which used to establish secure connections between the web application and its clients
Extended Negotiation (NEGOEX):
NEGOEX can be used in almost any situation where an application protocol uses GSS to perform authentication.
The NEGOEX protocol is designed to address the drawbacks of the SPNEGO negotiation model. When negotiated by SPNEGO
Attack Flow:
The attacker can target publicly accessible web servers with NEGOEX protocol enables
This vulnerability can be exploited through any existing Microsoft application protocol used for authentication, such as SMB, RDP, and even IIS HTTP web servers
With the Windows Authentication enabled in the web server
This will result the attackers to remotely execute arbitrary code by accessing the NEGOEX protocol via SMB, RDP, and even IIS HTTP web servers
POC:
Recommendations:
Monitor the windows services, such as SMB and RDP, which are exposed to the internet.
Continuous monitoring of your Microsoft IIS HTTP web servers that have Windows Authentication enabled.
Limit Windows authentication providers to Kerberos or Net-NTLM and remove “Negotiate” as a default provider if the patch cannot be applied.
Remediation:
latest Microsoft updates that have been released since the 13th of September.
Reference:
https://securityaffairs.co/wordpress/139709/hacking/microsoft-revised-cve-2022-37958-rate.html
https://setgetweb.com/p/WAS8/csec_SPNEGO_explain.html