top of page
Writer's pictureHarisuthan

CVE-2022-37958 | SPNEGO Extended Negotiation (NEGOEX) Vulnerability


CVE-2022-37958

A recently discovered security vulnerability at SPNEGO Extended Negotiation (NEGOEX) will result in remote code execution at the windows systems, this vulnerability has been tracked under CVE-2022-37958 with the CVSS score of 10.


The vulnerability was discovered by Security Researcher Valentina Palmiotti


Working of SPNEGO:


SPNEGO → Simple and Protected GSS-API Negotiation Mechanism

SPNEGO is used when a client application wants to authenticate to a remote server, SPNEGO authentication is a server-side solution which used to establish secure connections between the web application and its clients




Extended Negotiation (NEGOEX):


NEGOEX can be used in almost any situation where an application protocol uses GSS to perform authentication.


The NEGOEX protocol is designed to address the drawbacks of the SPNEGO negotiation model. When negotiated by SPNEGO


Attack Flow:


  • The attacker can target publicly accessible web servers with NEGOEX protocol enables

  • This vulnerability can be exploited through any existing Microsoft application protocol used for authentication, such as SMB, RDP, and even IIS HTTP web servers

  • With the Windows Authentication enabled in the web server

  • This will result the attackers to remotely execute arbitrary code by accessing the NEGOEX protocol via SMB, RDP, and even IIS HTTP web servers

POC:


Recommendations:

  • Monitor the windows services, such as SMB and RDP, which are exposed to the internet.

  • Continuous monitoring of your Microsoft IIS HTTP web servers that have Windows Authentication enabled.

  • Limit Windows authentication providers to Kerberos or Net-NTLM and remove “Negotiate” as a default provider if the patch cannot be applied.

Remediation:


latest Microsoft updates that have been released since the 13th of September.

Reference:


402 views1 comment

Recent Posts

See All

1 hozzászólás


Vendég
2022. dec. 22.


Kedvelés
bottom of page