In 2022, Microsoft patched a security feature bypass vulnerability in the Workstation Service Remote Protocol, tracked as CVE-2022-21924. In this long read, we'll break down what this vulnerability is, how it works, and what the implications are using easy-to-understand language. We’ll also walk through example code and reference trusted sources.
What is CVE-2022-21924?
CVE-2022-21924 highlights a flaw in how the Workstation Service Remote Protocol—technically called MS-WKST—handles certain authentication or access checks.
This vulnerability allows an attacker to bypass security features, which could allow them to perform actions that should be restricted, such as viewing sensitive configuration or modifying certain settings on vulnerable Windows systems.
Where is the Workstation Service Used?
The Workstation Service (lanmanworkstation) is a part of Windows OS since the early days. It handles network connections and shares. The service speaks to Windows systems over the network through Remote Procedure Calls (RPCs) using the MS-WKST protocol.
A lot of system management and network admin tools rely on these protocols under the hood, so even if you don’t use them directly, they're always running in modern Windows environments.
Security Feature Bypass
A security feature bypass vulnerability means an attacker can get around normal checks that are supposed to keep the protocol or service safe.
> In this case: If a workstation is running the vulnerable protocol, an attacker on the network could potentially send specially crafted requests to bypass authentication or impersonate another user.
Microsoft’s summary says
> An authenticated attacker could exploit this vulnerability by convincing a server to authenticate to attacker’s controlled resource using NTLM. (Source: MSRC Advisory)
Victim’s Workstation Service receives a request to authenticate to the attacker's server.
3. NTLM credentials are sent by the workstation, possibly allowing the attacker to capture sensitive info or relay the credentials elsewhere.
The Patch
Microsoft patched this vulnerability in February 2022 as part of Patch Tuesday (Security Update Guide). If your Windows machines are up-to-date, you’re protected.
Example of Malicious Request (Pseudocode)
Suppose you can reach an unpatched machine’s Workstation Service over the network (default port 445). An attacker could try to trick it into authenticating to a malicious network share.
Simple SMB share lure (Python concept)
import socket
# Attacker listens on port 445 for incoming authentication requests
attacker_ip = '...'
port = 445
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((attacker_ip, port))
sock.listen(1)
print('[*] Waiting for incoming connection...')
conn, addr = sock.accept()
print(f'[+] Received connection from: {addr}')
# If Workstation Service connects, you may capture NTLM handshake
data = conn.recv(4096)
print(f'[+] Data received: {data.hex()}')
conn.close()
In real attacks, a tool like Responder can automate this process, capturing or relaying credentials.
Real World Attack
Attackers would use a combination of phishing, network manipulation, or abusing machine configuration (like forced authentication via UNC paths or printer connection), to get the target to “reach out” over SMB/WKST to a malicious device.
Further Reading and References
- Microsoft’s Official Advisory
- MS-WKST Protocol Technical Docs
- Responder NTLM Relaying Toolkit
- CVE Details Page
In Summary
CVE-2022-21924 is another example that critical Windows services can have serious vulnerabilities—sometimes allowing attackers to bypass security checks with clever network tricks. If you manage Windows machines, make sure to keep up with patches and lock down your network where possible.
Stay safe, and always watch the Patch Tuesday releases!
Timeline
Published on: 01/11/2022 21:15:00 UTC
Last modified on: 05/23/2022 17:29:00 UTC