CVE-2022-37958: 
vulnerability analysis and mitigation

CVE-2022-37958 is a critical remote code execution (RCE) vulnerability in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism affecting Windows operating systems. Initially disclosed and patched in September 2022 as an information disclosure vulnerability, it was later reclassified as Critical in December 2022 after security researcher Valentina Palmiotti from IBM Security's X-Force Red team discovered its RCE capabilities (Tenable Blog).

The vulnerability exists in the SPNEGO NEGOEX protocol, which is an internet standard for negotiating GSSAPI technology used for authentication between client and server. Multiple critical protocols including Server Message Block (SMB), Remote Desktop Protocol (RDP), Simple Mail Transfer Protocol (SMTP), and HTTP use or can be configured to use NEGOEX for authentication by default. The vulnerability was initially assigned a CVSSv3 score of 7.5 but was later upgraded to 8.1 after reclassification as an RCE vulnerability (Arctic Wolf, Tenable Blog).

The vulnerability could allow an attacker to execute arbitrary code remotely by accessing the NEGOEX protocol via any Windows application protocol that authenticates. Security researchers have indicated that the vulnerability has the potential to be wormable, making it potentially more severe than EternalBlue (CVE-2017-0144) due to its impact on multiple protocols rather than just SMBv1 (Tenable Blog).

Microsoft released security updates to address CVE-2022-37958 as part of their September 2022 Patch Tuesday release. Organizations that applied the September 2022 updates are protected against this vulnerability, as the December 2022 update only included informational changes to the classification. It is strongly recommended to review and apply all applicable security updates to impacted Windows products (Arctic Wolf).