NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2022-30136 RCE in NFSv4

Jul 19, 2022

What is CVE-2022-30136? 

CVE-2022-30136 is an unauthenticated remote command execution vulnerability that impacts Windows Server versions 2012, 2016, and 2019. The vulnerability is rooted in the Network File System (NFS). NFS is a distributed file system protocol that builds on the open network computing remote procedure call (ONC RPC) system. The protocol enables a remote client to access files on a server in a similar capacity to local storage. The vulnerability, detailed in an analysis by Trend Micro Vulnerability Research Service, is attributed to a miscalculation in the size of a response message, which can result in a response message than the allocated space, causing the buffer to overflow. 

Successful exploitation by an unauthenticated remote attacker would result in remote command execution with SYSTEM privileges. Unsuccessful attempts would likely result in a system crash.

How bad is this? 

CVE CVSSv3 Score
CVE-2022-30136 9.8

Active exploitation today: Unknown 

Severity: Critical

  • Unauthenticated remote command execution
  • Results in trivial remote command execution on vulnerable platforms
  • Currently no public exploit, but a low level of complexity according to Microsoft

Who is affected by this? 

Vulnerable applications have to satisfy a few non-standard requirements:

  • Windows Server version 2012, 2016, and 2019 with NFSv4 enabled

At the time of publishing, no public exploit exists; however, there is a strong possibility active exploitation is imminent after a detailed public disclosure.

How is it exploited? 

Exploitation can be accomplished with a crafted NFS message by an unauthenticated, remote attacker. 

Am I at risk?

Windows Version Patch
Windows Server 2012 R2 KB5014738
Windows Server 2012 KB5014747
Windows Server 2016 KB5014702
Windows Server 2019 KB5014692


How do I protect myself? 

Microsoft has released security updates. These should be applied to all vulnerable systems.

Mitigating factors? 

It is possible to mitigate the vulnerability by disabling NFSv4.1. To do so execute the following PowerShell command:

PS C:\Set-NfsServerConfiguration -EnableNFSV4 $false

To restart NFS server, start a cmd window with Run as Administrator, enter the following commands:

  • nfsadmin server stop
  • nfsadmin server start

Additional Resources: 

Resources
Read more from NopSec's cyber threat exposure management and cybersecurity experts.
Read All