Detecting CVE-2022-26937 with Zeek

This month, Microsoft announced a vulnerability in NFS. The exploit lies in how an attacker can force a victim NFS server to request an address from the attacker’s fake NFS server. The address returned will overflow memory on the victim NFS server and cause a crash. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof-of-concept exploit for this vulnerability and wrote a Zeek®-based detection for it. 

You can find a PCAP of this exploit in our GitHub repository. Looking at the connections via Zeek we see:


The attacker’s IP address is “fe80::88d1:4bb:492e:b104” and the victim IP address is “fe80::1550:7290:1622:4dce”. The raw log is slightly out of order (the time field is set from the connection start, but the conn.log row is written when the connection’s state is removed so this can cause out of order log events), but you will see that the attacker first connects to the victim’s portmapper on 111/tcp. Examining this connection in Wireshark shows that this connection requests the NFS port, which returns 2049/tcp, which the attacker then connects to. Next the attacker sends a Network Lock Manager Protocol (NLMP) command to have the victim machine connect to the attacker’s machine, from which it will request a portmapper universal address (formatted as a string, basically). The attacker’s machine runs a version of portmapper that will return an address too large for the victim’s machine to parse. At this point, a successful exploitation will cause the machine to reboot, which subsequently results in the victim system sending  a TCP reset (“RST”) packet to the attacker’s machine.

Here is what an exploit address string looks like in Wireshark:


Our detection consists of some signatures to first detect the NLMP connection prior to the second portmapper connection from the victim’s machine to the attacker’s machine for which the address returned is extremely large.  An example “notice.log” from the PCAP in the repository follows:

#separator \x09

#set_separator ,

#empty_field (empty)

#unset_field -

#path notice

#open 2022-05-11-16-42-00

#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.latitude remote_location.longitude

#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double

1652285129.626881 Ci4lmM2HkJESnOzn6g fe80::88d1:4bb:492e:b104 49798 fe80::1550:7290:1622:4dce 111 - - - tcp CVE202226937::CVE_2022_26937_Attempt Potential NFS CVE-2022-26937 exploit attempt: fe80::1550:7290:1622:4dce attempted exploit against fe80::88d1:4bb:492e:b104 - fe80::88d1:4bb:492e:b104 fe80::1550:7290:1622:4dce 111 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -

#close 2022-05-11-16-42-00

You can find our CVE-2022-26937 detection code at the following link:

By Corelight Labs Team


    Recent Posts