CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Detecting CVE-2022-26937 with Zeek

This month, Microsoft announced a vulnerability in NFS. The exploit lies in how an attacker can force a victim NFS server to request an address from the attacker’s fake NFS server. The address returned will overflow memory on the victim NFS server and cause a crash. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof-of-concept exploit for this vulnerability and wrote a Zeek®-based detection for it. 

You can find a PCAP of this exploit in our GitHub repository. Looking at the connections via Zeek we see:

conn_log

The attacker’s IP address is “fe80::88d1:4bb:492e:b104” and the victim IP address is “fe80::1550:7290:1622:4dce”. The raw log is slightly out of order (the time field is set from the connection start, but the conn.log row is written when the connection’s state is removed so this can cause out of order log events), but you will see that the attacker first connects to the victim’s portmapper on 111/tcp. Examining this connection in Wireshark shows that this connection requests the NFS port, which returns 2049/tcp, which the attacker then connects to. Next the attacker sends a Network Lock Manager Protocol (NLMP) command to have the victim machine connect to the attacker’s machine, from which it will request a portmapper universal address (formatted as a string, basically). The attacker’s machine runs a version of portmapper that will return an address too large for the victim’s machine to parse. At this point, a successful exploitation will cause the machine to reboot, which subsequently results in the victim system sending  a TCP reset (“RST”) packet to the attacker’s machine.

Here is what an exploit address string looks like in Wireshark:

wireshark-3

Our detection consists of some signatures to first detect the NLMP connection prior to the second portmapper connection from the victim’s machine to the attacker’s machine for which the address returned is extremely large.  An example “notice.log” from the PCAP in the repository follows:

#separator \x09

#set_separator ,

#empty_field (empty)

#unset_field -

#path notice

#open 2022-05-11-16-42-00

#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude

#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double

1652285129.626881 Ci4lmM2HkJESnOzn6g fe80::88d1:4bb:492e:b104 49798 fe80::1550:7290:1622:4dce 111 - - - tcp CVE202226937::CVE_2022_26937_Attempt Potential NFS CVE-2022-26937 exploit attempt: fe80::1550:7290:1622:4dce attempted exploit against fe80::88d1:4bb:492e:b104 - fe80::88d1:4bb:492e:b104 fe80::1550:7290:1622:4dce 111 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -

#close 2022-05-11-16-42-00

You can find our CVE-2022-26937 detection code at the following link: https://github.com/corelight/CVE-2022-26937.

By Corelight Labs Team

Recent Posts