What just happened? A new, potent vulnerability has all that’s needed to turn Windows security upside down in millions of computers. The flaw has no official moniker yet and there’s already a fix available, but researchers are warning companies to install the latest patches or face the consequences.
The security world still remembers (and dreads) the chaos unleashed by EternalBlue in 2017, when the vulnerability discovered (and stockpiled) by the National Security Agency (NSA) was exploited by the infamous WannaCry and NotPetya attacks (among many others) to hit digital infrastructures all over the world.
Security researchers are now sounding a new alarm regarding another powerful vulnerability in town, one that could be even more dangerous than EternalBlue if left unpatched.
Tracked as CVE-2022-37958, the new flaw works just like EternalBlue and could be exploited to remotely execute malicious code with no authentication required. The bug is “wormable” too, which means it can self-replicate to hit other vulnerable systems. This is exactly the reason why WannaCry and the other 2017 attacks were able to spread so fast.
Unlike EternalBlue, however, CVE-2022-37958 is even more dangerous as it is not limited to the Server Message Block (SMB) protocol because it resides within the SPNEGO Extended Negotiation mechanism. SPNEGO is used by client-server software to negotiate the choice of security technology to use.
Thanks to SPNEGO, a client computer and an internet server can decide the protocol to use for authentication; beyond SMB, the list of affected protocols include RDP, SMTP and HTTP.
The danger posed by CVE-2022-37958 is mitigated by the fact that, unlike EternalBlue, the right solution has already been available for three months.
Microsoft fixed the bug in September 2022 with its monthly Patch Tuesday rollout. At the time, Redmond’s analysts classified the flaws as “important,” seeing the issue as a potential disclosure of sensitive information and nothing more. After reviewing the code, those same analysts have now assigned a “critical” tag to CVE-2022-37958 and a severity rating of 8.1 – the same as EternalBlue.
The fact that a patch is already available could be an aggravating factor rather than a positive one.
“As we’ve seen with other major vulnerabilities over the years” like MS17-010 exploited with EternalBlue, IBM security researcher Valentina Palmiotti said, “some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether.”
The threat is still out there, lurking in millions of Windows system from Windows 7 onward.