July Vuln of the Month: CVE-2022-30190

Now that we’re publishing our Vuln of the Month blog on the second Tuesday of every month (aka The Day Formerly Known As Patch Tuesday), it seems only fitting to spotlight a Microsoft vulnerability for our July selection. And this one is worth your time: A remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) is already being exploited by state actors.  

Our research shows that CVE-2022-30190 meets many of the criteria we look for in a vulnerability that could be exploited, including: 

• Access complexity: Low 
• Potential attack surface: Broad 
• Exploitable remotely: Yes 
• Authentication/privilege requirements: None 
• Potential impact on availability: Complete 
• Exploit code published: Yes
• Active exploits observed: Yes

CVE-2022-30190 is an extraordinarily high-risk vuln. Its Kenna Risk Score is 100, the highest possible risk score a CVE can earn. Of all the CVEs scored to date by Kenna, just 0.21% have earned a score this high. However, organizations that let CVSS 3.X scores drive their prioritization will find CVE-2022-30190 (which CVSS gives a “High” score of 7.8) doesn’t even earn a spot in the top 10 percent of all CVSS scores. (We’ve written about the difference between CVSS scores and risk scores—and why risk scores reflect more useful real-world and contextual data, which helps security teams identify the vulnerabilities worth fixing.) 

Why CVE-2022-30190 matters 

Virtually any Microsoft vulnerability is noteworthy thanks to the ubiquity of Windows platforms and the Microsoft software that runs on them. This one is particularly nasty. Nicknamed Follina, this Vuln offers attackers a way to call the MSDT using the URL protocol from a calling application such as Microsoft Word. Attackers are luring end-users into downloading malicious code. Notes Microsoft, “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”  

In early June, Cisco Talos was observed actively exploiting this vulnerability in the wild. In addition to patching the issue, Talos has several detection signatures to protect against CVE-2022-30190: 

• Snort 2 rules: 59889 – 59894 
• Snort 3 rules: 300192 – 300194 
• ClamAV signature: Win.Exploit.CVE_2022_30190-9951234-1 

Bottom line 

For affected organizations, CVE-2022-30190 is a high-priority fix. The potential attack surface is massive; no privileges are required, and attacks can be launched remotely and via bots. The potential for damage and data loss is significant, and sophisticated attackers linked to various state-sponsored efforts are already exploiting it. If you’re a Microsoft shop, place this at the top of your fix list. (But if you’re still using CVSS scores to determine your patch priorities and hadn’t read this blog, it could have been some time before you get to this one.)  

Mitigation status 

Since submitting CVE-2022-30190 on May 30, Microsoft published a series of patches for 36 products. (Before the availability of software updates, it offered guidance on disabling the MDST URL protocol and other workarounds.)   

Watch this space for our regular Vuln of the Month spotlight, which appears on the second Tuesday of each month. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities rather than headlines. Thanks in part to our vulnerability intelligence powered by machine learning.