On Friday, May 27, Security vendor nao_sec identified a malicious document leveraging a zero-day RCE vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool (MSDT).
The actively exploited vulnerability exists when MSDT is called using the URL protocol from a calling application, such as Microsoft Word. By sending a specially crafted Word document that calls out to a remote URL and downloads a malicious payload, a threat actor could gain persistence and run arbitrary code with the privileges of the calling application.
Note: Successful exploitation requires one of the following conditions:
- A malicious document (such as .doc and .docx) is opened by a targeted user and “Enable editing” is clicked.
- A malicious .rtf document is previewed or opened by a targeted user.
Based on the publicly available Proof of Concept (PoC) exploit code and the ease of exploitation, Arctic Wolf assesses this vulnerability to be a high risk and strongly recommends that you to review the recommendations below for guidance on how to best mitigate this vulnerability promptly.
Recommendations for CVE-2022-30190
Recommendation #1: Apply Patch for CVE-2022-30190 to Windows Systems
Our primary recommendation is to apply the Microsoft provided patch for this vulnerability as soon as possible against all affected Windows systems.
Note: Arctic Wolf recommends the following change management best practices for testing the workaround in a dev environment before deploying to production systems.
Patch information for each affected Windows system can be found here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
The patch is available for the following Windows systems:
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 & 2012 R2
- Windows Server 2008 R2
- Windows 11
- Windows 10 (versions 1607, 1809, 20H2, 21H1, 21H2)
- Windows 8.1
- Windows 7 Service Pack 1
Recommendation #2: Explore Applying Workaround Provided by Microsoft
If unable to apply the patch for CVE-2022-30190 promptly to mitigate the vulnerability, there is guidance provided for a workaround from Microsoft.
Note: Arctic Wolf recommends the following change management best practices for testing the workaround in a dev environment before deploying to production systems.
Review Microsoft’s guidance to apply the workaround to your affected system(s).
References
- Twitter: nao_sec on Twitter
- Follina — a Microsoft Office code execution vulnerability
- CVE-2022-30190 Advisory
- CVE-2022-30190 Guidance