CVE-2022-32230
📋 TL;DR
CVE-2022-32230 is a denial-of-service vulnerability in Microsoft Windows SMBv3 where a malformed FileNormalizedNameInformation request causes a null pointer dereference, leading to a Blue Screen of Death (BSOD) and system reboot. It affects Windows versions prior to April 2022 patches. Domain Controllers are particularly vulnerable as they allow unauthenticated exploitation via SMB sessions.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 11 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash and reboot of Windows servers, causing service disruption and potential data loss in active transactions.
Likely Case
Denial-of-service attacks causing system reboots and service interruptions, particularly affecting SMB file sharing services.
If Mitigated
Minimal impact with proper patching and network segmentation preventing SMB access from untrusted sources.
🎯 Exploit Status
Metasploit module available, exploitation requires sending specific malformed SMBv3 packets over named pipes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: April 2022 security updates (KB5012599 for Windows 10 21H2, KB5012592 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-32230
Restart Required: Yes
Instructions:
1. Apply April 2022 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Block SMBv3 Named Pipe Access
windowsRestrict access to SMB named pipes to prevent exploitation attempts.
netsh advfirewall firewall add rule name="Block SMB Named Pipes" dir=in action=block protocol=TCP localport=445
Disable SMBv3 Compression
windowsDisable SMBv3 compression feature which may reduce attack surface.
Set-SmbServerConfiguration -EnableCompression $false
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SMB traffic to trusted networks only
- Deploy intrusion detection/prevention systems to monitor for SMB exploitation patterns
🔍 How to Verify
Check if Vulnerable:
Check Windows version and compare with patched versions from Microsoft advisory. Systems without April 2022 security updates are vulnerable.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains April 2022 security updates or check system version is post-patch.📡 Detection & Monitoring
Log Indicators:
- Event ID 41 (Kernel-Power) indicating unexpected shutdowns
- SMB server logs showing malformed FileNormalizedNameInformation requests
Network Indicators:
- SMBv3 traffic with malformed FileNormalizedNameInformation requests
- Increased SMB connection attempts to named pipes
SIEM Query:
EventID=41 AND Source="Microsoft-Windows-Kernel-Power" AND Description contains "The system has rebooted without cleanly shutting down first"🔗 References
- https://github.com/zeroSteiner/metasploit-framework/blob/feat/mod/cve-2022-32230/modules/auxiliary/dos/smb/smb_filenormalizednameinformation.rb
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-32230
- https://support.microsoft.com/en-us/topic/may-10-2022-kb5013942-os-builds-19042-1706-19043-1706-and-19044-1706-60b51119-85be-4a34-9e21-8954f6749504
- https://www.rapid7.com/blog/post/2022/06/14/cve-2022-32230-windows-smb-denial-of-service-vulnerability-fixed/
- https://github.com/zeroSteiner/metasploit-framework/blob/feat/mod/cve-2022-32230/modules/auxiliary/dos/smb/smb_filenormalizednameinformation.rb
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-32230
- https://support.microsoft.com/en-us/topic/may-10-2022-kb5013942-os-builds-19042-1706-19043-1706-and-19044-1706-60b51119-85be-4a34-9e21-8954f6749504
- https://www.rapid7.com/blog/post/2022/06/14/cve-2022-32230-windows-smb-denial-of-service-vulnerability-fixed/
