Elevity would like to inform you of CVE-2022-30190, a new critical remote code execution (RCE) vulnerability affecting all versions of Windows. If you use Windows in your environment, we recommend reviewing this blog and applying the workaround provided by Microsoft for CVE-2022-30190.
Summary
On Friday, May 27, Security vendor nao_sec identified a malicious document leveraging a zero-day RCE vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool (MSDT).
The actively exploited vulnerability exists when MSDT is called using the URL protocol from a calling application, such as Microsoft Word. By sending a specially crafted Word document that calls out to a remote URL and downloads a malicious payload, a threat actor could gain persistence and run arbitrary code with the privileges of the calling application.
Note: Successful exploitation requires one of the following conditions:
- A malicious document (such as .doc and .docx) is opened by a targeted user and "Enable editing" is clicked.
- A malicious .rtf document is previewed or opened by a targeted user.
Recommendations
Recommendation #1: Be on the Latest Elevity Offering
At this time, there is no patch available from Microsoft to mitigate the vulnerability, however, Elevity has seen in the wild where our EDR solution or EDR + SOC solution has detected and stopped these attacks. If you are on the Elevity offerings for EDR (SentinelOne) and/or our 4.0 offering with our SOC you are covered.
Not partnered with Elevity yet? Click here to request a
consultation to get started today!
Recommendation #2: Explore Applying Workaround Provided by Microsoft
Microsoft has provided guidance on a work around for those not in our latest offering. Early testing by Elevity have shown these registry edits to cause issues with using the Microsoft Office Suite so we will not be pushing these automatically unless you have an internal IT team and are confident in your ability to perform these changes.
Note: We recommend following change management best practices for testing the workaround in a dev environment before deploying to production systems.
Review Microsoft’s guidance here to apply the workaround to your affected system(s)