A team of IBM researchers have now identified exploitability in a previously disclosed Windows code-execution flaw that has the potential to rival EternalBlue--the Windows security vulnerability that was used to perpetrate the WannaCry ransomware attack that shut down networks across the world in 2017—for organizations of all different sizes and industries.

CVE-2022-37958, the identifier for this new flaw on the National Vulnerabilities Database (NVD), enables threat actors to execute malicious code without any authentication. Similarly to EternalBlue, this new vulnerability is “wormable,” which means that a single exploit spread to other systems through self-replicating follow-on attacks across other vulnerable systems. It was the wormability of EternalBlue that enabled WannaCry to become a global epidemic in a matter of minutes—with no user interaction required.

Unfortunately, whereas EternalBlue could only be exploited when servers were using a vulnerable version of the server message block (SMB) protocol for file and printer sharing—among other network activities—this latest flaw applies to a broad range of network protocols.

The IBM security researcher who discovered the code-execution flaw, Valentina Palmiotti, explained, “An attacker can trigger the flaw via any Windows application protocols that authenticates. For example, the flaw can be triggered by trying to connect to an SMB share or via Remote Desktop. Some other examples include Internet exposed Microsoft IIS servers and SMTP servers that have Windows Authentication enabled. Of course, they can also be exploited on internal networks if left unpatched.”

The fix for CVE-2022-37958 was released by Microsoft in September during its Patch Tuesday rollout of security fixes for the month. However, at that time Microsoft believed the flaw could only be leveraged to gain access to information that may or may not be sensitive, depending on the systems in question. With that in mind, Microsoft assigned only the severity level of "important."

As of last week and following the release of the research by IBM, Microsoft revised the designation to critical with a severity rating of 8.1—the same rating assigned to EternalBlue.

Palmiotti did mention that organizations have some reasons for optimism, but that the risk should not be taken lightly. Said Palmiotti, “While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time. As we've seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether.”

IBM's writeup of the flaw can be found here.

As has recently been noted on this blog, IT and security teams desperately need to prioritize patching and yet few organizations feel capable of keeping up with the cadence of patching required to keep risks at an acceptable level—especially when dealing with zero-day vulnerabilities or similar issues for which organizations receive little warning.

Webcheck Security is one of the few security consulting firms that maintains a roster of highly qualified and battle-hardened virtual Chief Information Security Officers (CISOs)—also known as vCISOs or Fractional Information Security Officers (FISOs). vCISOs excel at guiding struggling organizations through to full security maturity. Contact us today to schedule a meeting to discuss how you can take advantage of the benefits of a vCISO.