by It has been detected that a vulnerability in the Microsoft Support Diagnostic Tool (MSDT) feature, which is used to detect problems in Windows systems, is actively exploited and used in attacks. You can see how the attack detected in a Word document was triggered from the screen recording at “https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/“. After opening the Word document, the code is run using the MSDT protocol. One of the important points here is that, unlike what we are used to, malicious code does not run through the macro. In short, after the user opens the file, there is no warning like “enable macros“, the code runs directly.
Since the exploit is done with user privileges, it is not possible to directly become a system/domain administrator using this vulnerability. If your users have limited privileges, as they should, this vector allows an attacker to gain access to ordinary user privileges within the organization. The code runs on the system as soon as the file is opened, as the user does not need to click on a separate button such as “enable macro“. This makes the attacker’s job easier.
Affected Systems
The products listed below are thought to be affected.
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2022 Azure Edition Core Hotpatch
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Solution and CVE/CWE
CVE/CWE: CVE-2022-30190
It is recommended to update to the following versions;
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
However, there are unconfirmed reports that fully up-to-date systems can still be exploited even though relevant workarounds and patches have been released by Microsoft. Therefore, it is recommended that end-users take precautions such as rules to prevent MS Office executable files (such as winword.exe and excel.exe) from starting executable files in a controlled manner on antivirus solutions.
Note: Those with CVSS 3.1 scores of 7.0-8.9 (out of 10) are considered “high”, and those with 9.0-10.0 are considered “critical”.
Reference:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190
https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability
