CVE-2022-37958: FAQ for Critical Microsoft SPNEGO NEGOEX Vulnerability

Microsoft recently reclassified a vulnerability in SPNEGO NEGOEX, originally patched in September, after a security researcher discovered that it can lead to remote code execution. Organizations are urged to apply these patches as soon as possible.

Frequently Asked Questions (FAQ) about CVE-2022-37958

What is CVE-2022-37958?

CVE-2022-37958 is a remote code execution (RCE) vulnerability in the SPNEGO NEGOEX protocol of Windows operating systems, which supports authentication in applications.

What is SPNEGO NEGOEX?

SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism and is an internet standard for negotiating which Generic Security Service Application Program Interface (GSSAPI) technology is used for authentication between a client and server.

NEGOEX is an extended negotiation mechanism for SPNEGO (SPNEGO NEGOEX) intended to enhance SPNEGO by addressing some of the drawbacks of SPNEGO while adding new GSSAPI extensions. More details about SPNEGO NEGOEX can be found here.

What protocols use SPNEGO NEGOEX?

Both Server Message Block (SMB) and Remote Desktop Protocol use NEGOEX for authentication by default, while Simple Mail Transfer Protocol (SMTP) and HTTP can be configured to do so. Please note that this is not an exhaustive list of protocols that use or can be configured to use SPNEGO NEGOEX.

When was this vulnerability patched?

Microsoft patched CVE-2022-37958 as part of its September 2022 Patch Tuesday release.

Wasn’t CVE-2022-37958 classified differently in September?

Yes, it was originally classified as an information disclosure vulnerability and assigned a CVSSv3 score of 7.5 and a severity rating of High.

Why did its classification change?

Valentina Palmiotti, a security researcher on IBM Security’s X-Force Red team discovered that CVE-2022-37958 could lead to RCE. Microsoft re-evaluated the vulnerability and changed its classification from Information Disclosure to RCE, its severity to Critical and assigned a CVSSv3 score of 8.1 as part of its December 2022 Patch Tuesday release.

Is CVE-2022-37958 wormable?

According to IBM Security X-Force Red, it “has the potential to be wormable.”

Is CVE-2022-37958 more severe than EternalBlue (CVE-2017-0144)?

Possibly, based on the fact that SPNEGO NEGOEX affects multiple protocols, while EternalBlue affects only SMBv1.

My organization already applied the September 2022 Patch Tuesday updates. Are we still vulnerable?

No. Microsoft only made informational changes to CVE-2022-37958 as part of the December 2022 Patch Tuesday release. As long as organizations have applied the September 2022 Patch Tuesday updates, they are protected against CVE-2022-37958.

Has CVE-2022-37958 been exploited in the wild?

There are no reports of confirmed in-the-wild exploitation for CVE-2022-37958 at the time this blog post was released.

Is there a proof-of-concept (PoC) for CVE-2022-37958?

At the time this blog was published, no PoC exploit code had been released for CVE-2022-37958. IBM said it plans to release full technical details for this flaw in Q2 2023, which may include a PoC.

Does Tenable have product coverage for CVE-2022-37958?

Yes, we have published several plugins for CVE-2022-37958 as part of the September 2022 Patch Tuesday release:

Additional product coverage for CVE-29022-37958 will appear here as it’s released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

• IBM Security X-Force Red Blog on Critical RCE in SPNEGO NEGOEX (CVE-2022-37958)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.