Windows Network File System flaw results in arbitrary code execution as SYSTEM

Trend Micro Research has published an anatomy of a Windows remote code execution vulnerability lurking in the Network File System.

The vulnerability in question, CVE-2022-30136, was patched by Microsoft in June (you do keep your patches up to date, don't you?) but the research makes for interesting reading both in terms of the vulnerability itself and the potential for exploitation.

The vulnerability was contained within the Windows Network Filing System (NFS) and was due to improper handling of NFSv4 requests. It could be exploited by sending malicious RPC calls to a target server. Successful exploitation could result in arbitrary code execution as SYSTEM while unsuccessful exploitation could just crash the target.

The roots of NFS go right back to the work of Sun Microsystems in 1984 and the vulnerability existed in the Windows implementation. NFS uses Open Network Computing (ONC) Remote Procedure Call (RPC) to exchange control messages. The Windows vulnerability was "due to incorrect calculation of the size of response messages," according to the researchers.

"The server calls the function Nfs4SvrXdrpGetEncodeOperationResultByteCount() to calculate the size of each opcode response, but it does not include the size of the opcode itself."

The result is a response buffer being too small and an overflow can result.

"Due to the function only being used for NFS version 4, only NFS4 is vulnerable," said Trend Micro.

• Lenovo issues firmware updates after UEFI vulnerabilities disclosed
• Microsoft's July Patch Tuesday fixes actively exploited bug
• Amazon squashes years-old authentication bugs in AWS Kubernetes service
• Older AMD, Intel chips vulnerable to data-leaking 'Retbleed' Spectre variant

Crafty attackers could use this vulnerability to fire off a request with enough operations to create a large size miscalculation. The execution of arbitrary code could be the result, or a simple crash of the system.

June's Patch Tuesday dealt with that other poster child of security holes, Follina, but CVE-2022-30136 looks to be relatively simple to exploit, certainly to the point where one could remotely crash a server.

CVE-2022-30136 has now been patched (although you need to install the fix for another NFS RCE, CVE-2022-26937, first). Microsoft noted that the vulnerability did not exist in NFSv2 or v3 and suggested that an attack could be mitigated by disabling NFSv4.1.

However, as the Trend Micro Research Team commented, doing so "could lead to a loss of functionality."

"Applying both updates in the appropriate order is the best method to fully address these vulnerabilities."

A reminder that while Microsoft's patches might break things, the security implications of not applying them could be painful. ®