New Year’s Day is hardly a day old, and we have the biggest cybersecurity decision currently possible already in our hands: patch Windows vulnerability CVE-2022-37958. If you are using Microsoft Windows of any version, make sure to update your system as soon as possible.
Microsoft had issued an alert on CVE-2022-37958 in December, clearly mentioning that the bug patched in September was still wormable. A spot survey by The Cyber Express among its registered readers found that many are unaware of the bug.
A random survey among 32 CISO leaders across geographies working in organizations across sectors showed that only 17% initiated the patch, that too after the alert in December. An astonishing 43% is yet to ensure a complete update of their systems.
A few respondents actually asked us about the need for the survey. In other words, why the fuss?
Why is this a big cybersecurity decision?
CVE-2022-37958 could allow for remote code execution (RCE) on all Windows devices. Microsoft spotted the bug in September and issued a patch, initially believing it only allowed for the disclosure of potentially sensitive information.
There is currently a vulnerability in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows for the negotiation of security mechanisms between a client and server.
This vulnerability is a pre-authentication remote code execution issue that affects a variety of protocols, including Server Message Block (SMB) and Remote Desktop Protocol (RDP).
The vulnerability also allows attackers to remotely execute arbitrary code by accessing the NEGOEX protocol through any Windows application that uses authentication.
The list of affected protocols is not exhaustive and could potentially include Simple Message Transport Protocol (SMTP) and Hyper Text Transfer Protocol (HTTP) when SPNEGO authentication negotiation is enabled for use with Kerberos or Net-NTLM authentication.
In December, IBM security researcher Valentina Palmiotti discovered that CVE-2022-37958 could lead to RCE. Microsoft re-evaluated the bug in the December 2022 Patch Tuesday update and decided to classify it as a RCE vulnerability rather than an Information Disclosure one.
It also upgraded the severity of the vulnerability to “Critical” and assigned it a CVSSv3 score of 8.1. The original CVSSv3 score was 7.5 with a severity rating of “High”.
What makes it deadly is the fact that it has the potential to rival EternalBlue.
Patching: Cybersecurity decision 101
The EternalBlue exploit was created by the NSA as a possible attack vector to be used in the cyber-attacks of the future, but it was later released to the public by the Shadow Brokers on April 14, 2017.
This occurred after Microsoft had already issued patches for the vulnerability. Just over a month later, on May 12, 2017, the WannaCry ransomware attack utilized EternalBlue to target unpatched computers around the world.
Like EternalBlue, this vulnerability allows attackers to execute malicious code without authentication and is wormable, meaning that one exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems.
However, unlike EternalBlue that was limited to the SMB protocol for file and printer sharing, this latest vulnerability is present in a wider range of network protocols, giving attackers more flexibility.
A patch has been available for three months. However, as with previous vulnerabilities, The Cyber Express spotted some organizations being slow to deploy patches. In some cases, they missed patching altogether!
Why firms fail to patch?
There are several common challenges that contribute to poor patch management within companies, wrote Dan Richings, SVP – Global Presales and Solutions Engineering, at endpoint IT management business Adaptiva.
One is that employees may be overwhelmed by the constant influx of patches that need to be applied.
This can result in a backlog of updates that need to be prioritized based on how widely used the affected application is and how severe the security vulnerability is.
Additionally, the increase in remote work has led to more employees using personal devices for work, which can be harder to secure and monitor for updates.
Another issue is that different teams within IT may be responsible for different tasks, such as identifying vulnerabilities and applying patches, leading to communication and workflow disruptions.
Change management processes can also be slow and outdated, causing delays in the patching process. There is also the possibility that the patches themselves may be flawed or compromised, requiring IT teams to carefully test and verify them before deployment.
Lastly, many patching processes are still done manually, requiring a significant amount of time and resources.