On Friday, May 27, 2022, Security vendor nao_sec identified a malicious document leveraging a zero-day remote code execution RCE vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool (MSDT) with a High severity CVSS 7.8 score.
The actively exploited vulnerability exists when MSDT is called using the URL protocol from a calling application, such as Microsoft Word. By sending a specially crafted Word document that calls out to a remote URL and downloads a malicious payload, a threat actor could gain persistence and run arbitrary code with the privileges of the calling application.
Note: Successful exploitation requires one of the following conditions:
-
A malicious document (such as .doc and .docx) is opened by a targeted user and “Enable editing” is clicked.
-
A malicious .rtf document is previewed or opened by a targeted user.
Based on the publicly available Proof of Concept (PoC) exploit code and the ease of exploitation, Arctic Wolf assesses this vulnerability to be a high risk and strongly recommends that customers apply the applicable workaround provided by Microsoft promptly.
Recommendations for CVE-2022-30190
Recommendation: Explore Applying Workaround Provided by Microsoft
As of May 31, 2022, there is no patch available from Microsoft to mitigate the vulnerability, however, there is guidance provided for a workaround.
Note: Arctic Wolf recommends the following change management best practices for testing the workaround in a dev environment before deploying to production systems.
Review Microsoft’s guidance to apply the workaround to your affected system(s):