Microsoft Reclassifies SPNEGO Extended Negotiation Security Mechanism Vulnerability as Critical: What You Need to Know

In Microsoft’s September 2022 security patches, a vulnerability in SPNEGO NEGOEX (CVE-2022-37958) was disclosed and patched. On Dec. 13, Microsoft reclassified this vulnerability as “critical” after security researchers discovered this vulnerability could also allow remote code execution (RCE).

Tell me more about this vulnerability

This vulnerability is pre-authentication, impacts a wide range of protocols and has the potential to be turned into a network worm.

Threat actors who abuse this vulnerability could remotely execute code by accessing the NEGOEX protocol via any Windows application protocol that authenticates, including Server Message Block (SMB) or Remote Desktop Protocol (RDP) by default. SPNEGO is also utilized within Simple Message Transport Protocol (SMTP) and Hyper Text Transfer Protocol (HTTP) when SPNEGO authentication is enabled.

Although rated “critical” by Microsoft, the CVSS 3.1 score 8.1 (High) was assigned due to the complexity of the attack and that multiple attempts may be required.

Fortunately, patches for this vulnerability have been available since September.

What is Nuspire doing?

Nuspire regularly applies patches as provided by vendors and is not affected.

What should I do?

SPNEGO is widely used among threat actors, so it’s important to take immediate action:

• Organizations should ensure they’ve applied the Microsoft security patches provided in September 2022. If they haven’t been, they should be as soon as possible.
• Review your digital footprint and reduce where possible. Secure services behind VPNs and trusted hosts.
• Limit Windows authentication providers to Kerberos or Net-NTLM and remove “Negotiate” as a default provider if the patch cannot be applied.