Microsoft Vulnerability Upgraded to Critical Due to RCE RiskCode Execution Bug Has Broader Scope Than Flaw Exploited by EternalBlue, IBM Says
Microsoft upgraded a vulnerability first discovered in September to "critical" after IBM Security researchers discovered attackers could exploit the flaw to remotely execute code.
See Also: 2022 Unit 42 Incident Response Report
Big Blue researchers say the latest code execution bug actually has a broader scope and could potentially affect a wider range of Windows systems than the vulnerability exploited by EternalBlue in the cataclysmic 2017 WannaCry ransomware attacks. That's because the flaw capitalizes on the large attack surface of client-server software authentication services exposed to the public internet or on internal networks, according to IBM.
IBM security researcher Valentina Palmiotti revealed on Twitter on Tuesday that the Microsoft vulnerability can be reached via any Windows application protocol that authenticates, including Remote Desktop Protocol and Server Message Block. To make matters worse, IBM says the vulnerability doesn't require user interaction or authentication by a victim on the target system.
"This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide range of protocols," IBM wrote last week. "It has the potential to be wormable."
As a result, Microsoft has reclassified this vulnerability as "critical" with a CVSS score of 8.1 - the same given to EternalBlue - and all but one category rated at maximum severity. The exception is "exploit complexity," which is rated "high" since successfully capitalizing on the vulnerability would force an attacker to prepare the target environment to improve exploit reliability, according to Microsoft.
Technical Details of Exploit on Hold
IBM says it will hold off on releasing full technical details of the exploit until spring 2023 in order to give defenders time to apply the patches. Microsoft fixed the vulnerability in September and designated it as "important" since they believed it allowed only for the disclosure of potentially sensitive information.
The vulnerability resides in a security mechanism that allows the client and server to negotiate the means of authentication. By exploiting the vulnerability, attackers can remotely execute malicious code by accessing the SPNEGO Extended Negotiation Security Mechanism while the target is using a Windows application protocol that authenticates, according to IBM.
The list of affected protocols is not complete and may exist wherever SPNEGO is in use, including in Simple Message Transfer Protocol and HTTP. SPNEGO can also be enabled with Kerberos or Net-NTLM authentication.
Along with applying the patch from Microsoft's security update, IBM says users should review whether services such as SMB and RDP are exposed to the internet and monitor Microsoft IIS HTTP web servers with Windows Authentication enabled. If the patch can't be applied, IBM says users should limit Windows authentication providers to Kerberos or Net-NTLM and remove "Negotiate" as a default provider.