Microsoft Vulnerability Upgraded to Critical Due to RCE Risk

Code Execution Bug Has Broader Scope Than Flaw Exploited by EternalBlue, IBM Says
Microsoft Vulnerability Upgraded to Critical Due to RCE Risk
Image: Michael Kappe/CC BY-NC 2.0

Microsoft upgraded a vulnerability first discovered in September to "critical" after IBM Security researchers discovered attackers could exploit the flaw to remotely execute code.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

Big Blue researchers say the latest code execution bug actually has a broader scope and could potentially affect a wider range of Windows systems than the vulnerability exploited by EternalBlue in the cataclysmic 2017 WannaCry ransomware attacks. That's because the flaw capitalizes on the large attack surface of client-server software authentication services exposed to the public internet or on internal networks, according to IBM.

IBM security researcher Valentina Palmiotti revealed on Twitter on Tuesday that the Microsoft vulnerability can be reached via any Windows application protocol that authenticates, including Remote Desktop Protocol and Server Message Block. To make matters worse, IBM says the vulnerability doesn't require user interaction or authentication by a victim on the target system.

"This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide range of protocols," IBM wrote last week. "It has the potential to be wormable."

As a result, Microsoft has reclassified this vulnerability as "critical" with a CVSS score of 8.1 - the same given to EternalBlue - and all but one category rated at maximum severity. The exception is "exploit complexity," which is rated "high" since successfully capitalizing on the vulnerability would force an attacker to prepare the target environment to improve exploit reliability, according to Microsoft.

Technical Details of Exploit on Hold

IBM says it will hold off on releasing full technical details of the exploit until spring 2023 in order to give defenders time to apply the patches. Microsoft fixed the vulnerability in September and designated it as "important" since they believed it allowed only for the disclosure of potentially sensitive information.

The vulnerability resides in a security mechanism that allows the client and server to negotiate the means of authentication. By exploiting the vulnerability, attackers can remotely execute malicious code by accessing the SPNEGO Extended Negotiation Security Mechanism while the target is using a Windows application protocol that authenticates, according to IBM.

The list of affected protocols is not complete and may exist wherever SPNEGO is in use, including in Simple Message Transfer Protocol and HTTP. SPNEGO can also be enabled with Kerberos or Net-NTLM authentication.

Along with applying the patch from Microsoft's security update, IBM says users should review whether services such as SMB and RDP are exposed to the internet and monitor Microsoft IIS HTTP web servers with Windows Authentication enabled. If the patch can't be applied, IBM says users should limit Windows authentication providers to Kerberos or Net-NTLM and remove "Negotiate" as a default provider.

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.