CVE-2022-37972: 
vulnerability analysis and mitigation

Microsoft Endpoint Configuration Manager (MECM) was found to contain a spoofing vulnerability tracked as CVE-2022-37972. The vulnerability was discovered by Brandon Colley of Trimarc Security and was publicly disclosed in September 2022. This security issue affects Configuration Manager current branch versions 2103 through 2207 (SecurityWeek, Microsoft Docs).

The vulnerability is related to the NTLM authentication fallback mechanism in MECM's client push installation feature. The flaw allowed attackers to bypass the NTLM connection fallback setting, which was previously thought to prevent certain types of attacks. Microsoft assigned this vulnerability a CVSS v3.1 base score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability could be exploited by malicious actors to move laterally within a targeted organization's network. Since client push installation accounts often have domain admin or elevated privileges on multiple machines in the enterprise, the flaw could potentially be leveraged as part of a disruptive ransomware attack (SecurityWeek).

Microsoft released an out-of-band security update to address this vulnerability. Beginning with Configuration Manager version 2207, the 'Allow connection fallback to NTLM' option is disabled by default on new site installations. Microsoft recommends disabling this option in existing environments where possible to increase security. Administrators can also disable the use of automatic and manual client push installation methods to remove the risk of exposure to this issue (Microsoft Docs).

The US Cybersecurity and Infrastructure Security Agency (CISA) urged administrators to review Microsoft's advisory and apply the necessary updates. The security community acknowledged the potential severity of the vulnerability, particularly its implications for lateral movement and ransomware attacks (SecurityWeek).