Review suggested: Given Microsoft is a widely used platform, please review the following and address accordingly. With respect to the holidays, please do not defer reviewing these latest threats.
CVE-2022-37958 is a remote code execution (RCE) vulnerability in the SPNEGO NEGOEX protocol of Windows operating systems, which supports authentication in applications.
Why is this important? Exploitation of this vulnerability could allow attackers to execute malicious code with no authentication required. While Microsoft supplied a patch in September 2022, upon further research, the security rating has been elevated as the vulnerability was discovered to have EternalBlue-like RCE capabilities and the potential to be wormable.
- EternalBlue (CVE-2017-0144) is the vulnerability that was exploited by WannaCry ransomware attacks in 2017.
- Additionally, CVE-2022-37958 reportedly has the potential to be worse than EternalBlue, as it has a broader scope.
- EternalBlue only affected one protocol, Server Message Block (SMBv1), while CVE-2022-37958 has the potential to affect multiple protocols, including Server Message Block (SMB), Remote Desktop Protocol (RDP), Simple Mail Transfer Protocol (SMTP), and HTTP.
Is there a patch for CVE-2022-37958? Yes. Microsoft supplied a patch in September 2022.
Note: If your utility applied the patch supplied by Microsoft in the September 2022 updates, you should be protected against CVE-2022-37958. However, sysadmins are encouraged to confirm patch status.
Is CVE-2022-37958 being exploited? No. At the time of this posting, there is currently no known exploitation or proof-of-concept code available in the wild
Additional analysis and information on CVE-2022-37958:
- https://securityintelligence.com/posts/critical-remote-code-execution-vulnerability-spnego-extended-negotiation-security-mechanism/
- https://www.tenable.com/blog/cve-2022-37958-faq-for-critical-microsoft-spnego-negoex-vulnerability
- https://heimdalsecurity.com/blog/spnego-vulnerability-lets-attackers-execute-code-remotely/
- https://arcticwolf.com/resources/blog/cve-2022-37958/