Arctic Wolf Security Bulletin

< BACK TO BLOG

CVE-2022-30190 – Updated Guidance for MSDT Remote Code Execution Zero-Day Vulnerability in Windows

Share :

On Friday, May 27, Security vendor nao_sec identified a malicious document leveraging a zero-day RCE vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool (MSDT).

The actively exploited vulnerability exists when MSDT is called using the URL protocol from a calling application, such as Microsoft Word. By sending a specially crafted Word document that calls out to a remote URL and downloads a malicious payload, a threat actor could gain persistence and run arbitrary code with the privileges of the calling application.

Note: Successful exploitation requires one of the following conditions:

  • A malicious document (such as .doc and .docx) is opened by a targeted user and “Enable editing” is clicked.
  • A malicious .rtf document is previewed or opened by a targeted user.

Based on the publicly available Proof of Concept (PoC) exploit code and the ease of exploitation, Arctic Wolf assesses this vulnerability to be a high risk and strongly recommends that you to review the recommendations below for guidance on how to best mitigate this vulnerability promptly.

Recommendations for CVE-2022-30190

Recommendation #1: Apply Patch for CVE-2022-30190 to Windows Systems

Our primary recommendation is to apply the Microsoft provided patch for this vulnerability as soon as possible against all affected Windows systems.

Note: Arctic Wolf recommends the following change management best practices for testing the workaround in a dev environment before deploying to production systems.

Patch information for each affected Windows system can be found here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

The patch is available for the following Windows systems:

  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 & 2012 R2
  • Windows Server 2008 R2
  • Windows 11
  • Windows 10 (versions 1607, 1809, 20H2, 21H1, 21H2)
  • Windows 8.1
  • Windows 7 Service Pack 1

Recommendation #2: Explore Applying Workaround Provided by Microsoft

If unable to apply the patch for CVE-2022-30190 promptly to mitigate the vulnerability, there is guidance provided for a workaround from Microsoft.

Note: Arctic Wolf recommends the following change management best practices for testing the workaround in a dev environment before deploying to production systems.

Review Microsoft’s guidance to apply the workaround to your affected system(s).

References

Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter

Continue Reading