Security vulnerability in Microsoft systems

A security vulnerability in Microsoft systems has been upgraded from "low risk" to "critical". This means that attackers can inject malicious code into affected systems by exploiting the vulnerability.

Critical security vulnerability: Intrusion of malicious code into Microsoft systems possible

CVE ID: CVE-2022-37958

CVSS Base Score: 8.1/10

General

Back in September of this year, a Microsoft security vulnerability with a CVSS Base Score of 6.8/10 was published. Specifically, it involved a supposedly low-risk vulnerability in the security mechanism called SPNEGO Extended Negotiation (NEGOEX). This mechanism is used to negotiate the ideal authentication protocol to be used between client and server. Basically, it is used for many Microsoft application protocols.

The following list gives an overview of the best-known protocols that can use SPNEGO:

Common Internet File System (CIFS) / Server Message Block (SMB)
HTTP
CredSSP, which is used by RDP
Remote Procedure Call Extensions
Lightweight Directory Access Protocol

Microsoft has now raised the criticality of the vulnerability to "critical". In principle, this means a base score of 8.1/10. The reason for this is that it was originally assumed that it would only be possible to read out information about this vulnerability. In the meantime, however, it has turned out that attackers can also inject malicious code into the respective system by exploiting the vulnerability. The first POC exploits are already available.

Affected systems

All latest Windows versions are affected. According to Microsoft, Windows versions from Release 7 to 11, as well as Windows Server from 2008 RT2 to 2022 are potential attack targets.

When are you affected?

You are using a Windows operating system.
You have client or server applications that use SPNEGO.
You have not installed the Microsoft patch from September (or later).

Detection of the vulnerability

After the new vulnerability was announced, our knowledge database and scan cluster on the go.lywand.com platform were updated. The vulnerability is identified in the course of lywand's security scans.

Recommendation

Update Windows systems to the latest version. It is particularly important that your latest updates are newer than September 13, 2022.

Link to the patch:
https://support.microsoft.com/en-us/topic/september-13-2022-security-update-kb5017316-0f0e00f9-a27c-496d-81b7-aa3b3bb010bc

Bernhard Schildendorfer

December 22, 2022

Category

sicherheitsluecke

Purpose	So that the user's cookie preferences can be taken into account, these are stored in the cookies.
Data	Accepted or rejected cookie categories
Originator	Lywand Software GmbH
Privacy Policy	lywand.com/datenschutzerklaerung

Purpose	This web analytics tool allows us to compile user statistics about your website activity and to best tailor our website to your interests.
Data	anonymized IP address, pseudonymized user identification, date and time of the request, amount of data transferred incl. message as to whether the request was successful, browser used, operating system used, website from which access was made.
Originator	Google Ireland Limited
Privacy Policy	https://policies.google.com/privacy

Purpose	Representation of the company's location using Google's map service.
Data	Date and time of visit, location information, IP address, URL, usage data, search terms, geographic location.
Originator	Google Ireland Limited
Privacy Policy	https://policies.google.com/privacy

Purpose	Convenient appointment scheduling via Calendly directly on the website.
Data	Appointment information, calendar information, information from third-party software providers, payment information, chatbot data, marketing information, log & device data, cookie data, usage data
Originator	Calendly LLC
Privacy Policy	calendly.com/privacy

Purpose	This data processing is performed by YouTube to ensure the functionality of the player.
Data	Device information, IP address, referrer URL, viewed videos
Originator	Google Ireland Limited
Privacy Policy	https://policies.google.com/privacy

Cookie Settings