Anatomy of a security vulnerability in the Windows network file system • Registry |

Trend Micro Research has published a dissection of a remote code execution vulnerability in Windows residing in the network file system.

The said vulnerability, CVE-2022-30136, was patched by Microsoft in June (you keep your patches updated, right?) but the research makes interesting reading in terms of the vulnerability itself and the potential for exploitation.

The vulnerability was contained within the Windows Network File System (NFS) and was due to incorrect handling of NFSv4 requests. It can be exploited by sending malicious RPC calls to the target server. A successful exploit may lead to arbitrary code execution like SYSTEM while an unsuccessful exploit may cause the target to crash.

The roots of NFS go right back to the work of Sun Microsystems in 1984 and the vulnerability was in a Windows application. NFS uses open network computing (ONC) remote procedure call (RPC) to exchange control messages. The Windows vulnerability was “due to incorrect calculation of the size of response messages,” according to the researchers.

The server calls the function Nfs4SvrXdrpGetEncodeOperationResultByteCount() Calculates the size of each opcode response, but does not include the size of the opcode itself. “

The result is that the response buffer is too small and an overflow can result.

“As the functionality is used for NFS version 4 only, only NFS4 is at risk,” Trend Micro said.

Phishing attackers can use this vulnerability to trigger a request with enough operations to create a large-sized false account. Arbitrary code execution can be a consequence, or a simple system crash.

Tuesday’s June patch dealt with another vulnerability poster, Fulina, but CVE-2022-30136 appears to be relatively easy to use, certainly to the point that one can crash a remote server.

CVE-2022-30136 is now patched (although you need to install the fix for another NFS RCE, CVE-2022-26937, first). Microsoft noted that the vulnerability was not present in NFSv2 or v3 and suggested that the attack could be mitigated by disabling NFSv4.1.

However, as the Trend Micro Research team commented, doing so “could lead to job losses.”

“Implementing both updates in the appropriate order is the best way to fully address these vulnerabilities.”

A reminder that while Microsoft patches may break things, the security implications of not applying them can be painful. ®

Leave a Comment