In Microsoft’s September 2022 security patches, a vulnerability in SPNEGO NEGOEX (CVE-2022-37958) was disclosed and patched. On Dec. 13, Microsoft reclassified this vulnerability as “critical” after security researchers discovered this vulnerability could also allow remote code execution (RCE).
This vulnerability is pre-authentication, impacts a wide range of protocols and has the potential to be turned into a network worm.
Threat actors who abuse this vulnerability could remotely execute code by accessing the NEGOEX protocol via any Windows application protocol that authenticates, including Server Message Block (SMB) or Remote Desktop Protocol (RDP) by default. SPNEGO is also utilized within Simple Message Transport Protocol (SMTP) and Hyper Text Transfer Protocol (HTTP) when SPNEGO authentication is enabled.
Although rated “critical” by Microsoft, the CVSS 3.1 score 8.1 (High) was assigned due to the complexity of the attack and that multiple attempts may be required.
Fortunately, patches for this vulnerability have been available since September.
Nuspire regularly applies patches as provided by vendors and is not affected.
SPNEGO is widely used among threat actors, so it’s important to take immediate action: