Trend Micro Research has published an anatomy of a Windows remote code execution vulnerability that lurks in the network file system.
The vulnerability in question, CVE-2022-30136, was patched by Microsoft in June (you keep your patches up to date, don’t you?) but the research is interesting to read both in terms of the vulnerability itself- even and potential for exploitation.
The vulnerability was contained in the Windows Networking Filing System (NFS) and was due to improper handling of NFSv4 requests. It could be exploited by sending malicious RPC calls to a target server. A successful exploit could result in the execution of arbitrary code as SYSTEM while an unsuccessful exploit could simply crash the target.
The roots of NFS go back to the work of Sun Microsystems in 1984 and the vulnerability existed in the Windows implementation. NFS uses Open Network Computing (ONC) remote procedure call (RPC) to exchange control messages. The Windows vulnerability was “due to an incorrect calculation of the size of response messages”, according to the researchers.
“The server calls the function
Nfs4SvrXdrpGetEncodeOperationResultByteCount() to calculate the size of each opcode response, but this does not include the size of the opcode itself.”
The result is an undersized response buffer and an overflow may result.
“Due to the function being used only for NFS version 4, only NFS4 is vulnerable,” Trend Micro said.
Clever attackers could use this vulnerability to trigger a query with enough operations to create a large miscalculation. Execution of arbitrary code could be the result, or a simple system crash.
June’s Patch Tuesday dealt with that other poster child of security flaws, Follina, but CVE-2022-30136 seems to be relatively easy to exploit, certainly to the point where one could crash a server remotely.
CVE-2022-30136 has now been fixed (although you must first install the fix for another NFS RCE, CVE-2022-26937). Microsoft noted that the vulnerability did not exist in NFSv2 or v3 and suggested an attack could be mitigated by disabling NFSv4.1.
However, as noted by the Trend Micro research team, this “could lead to loss of functionality”.
“Applying both updates in the correct order is the best method to fully address these vulnerabilities.”
A reminder that while Microsoft’s patches can break things, the security implications of not applying them could be painful. ®