Get in Touch
Windows service tampering vulnerability proof-of-concept code released
Security researchers at Akamai have released a proof-of-concept (POC) exploit for a vulnerability which is being tracked under CVE-2022-30216.
CVE-2022-30216 – A vulnerability exists which allows a malicious actor to perform server spoofing or trigger authentication coercion on affected systems. The vulnerability resides in the newly implemented Server Service (srvsvc) which has been released in the latest versions of Windows 11 and Windows Server 2022. Srvsvc is a native Windows service which manages SMB shares through remote procedure calls (RPC) over named pipes. In the latest versions of Windows, Microsoft has added support for SMB over the QUIC protocol, which verifies the identity of servers utilising the server’s certificate and utilises the srvsvc service for certificate management. The exploit targets a flaw found within the implementation of srvsvc that does not cover all the available functions adequately and allows for a malicious actor to connect to the remote RPC client and modify the configurations of certificate mappings on the server.
To perform the attack, the POC code combines a New Technology LAN Manager (NTLM) relay attack against the Active Directory Certificate Services (AD CS) server.
Successful exploitation of this vulnerability would allow an authenticated malicious actor to perform remote code execution (RCE) against a targeted domain controller. CVE-2022-30216 has been assigned a CVSS score of 8.8.
Windows 11 and Windows Server 2022 devices which are missing one of the respective patches:
Microsoft Windows Server 2022 Microsoft Windows 11
Containment, Mitigations & Remediations
Microsoft has released the following patches for remediation against this vulnerability:
Indicators of Compromise
There are currently no indicators of compromise which have been released as part of this exploit.
Microsoft Windows systems hold a large share of the personal computing and server markets. Vulnerabilities which may be present within these systems should be addressed at the earliest possible point. The release of a POC exploit for this vulnerability will likely cause an increase in attacks which utilise this vulnerability as a mechanism for lateral movement within a Windows domain environment.
T1587.003 – Digital Certificates
T1203 – Exploitation for Client Execution
T1187 – Forced Authentication
Microsoft Security Bulletin for CVE-2022-30216
Windows support for SMB over QUIC