Vulnerability identifier: #VU63784
Vulnerability risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-78
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Windows Server
Operating systems & Components /
Operating system
Windows
Operating systems & Components /
Operating system
Vendor: Microsoft
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing URL within the Microsoft Windows Support Diagnostic Tool (MSDT). A remote unauthenticated attacker can trick the victim to open a specially crafted file, which calls the ms-msdt tool and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
UPDATED
The vulnerability resides within MSTD and not in Microsoft Word. Microsoft Word is an attack vector and not the source of vulnerability.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Windows Server: 2008 R2 SP1 - 2008, 2016 10.0.14393.10, 2019 10.0.17763.1 - 2019 2004, 2022 10.0.20348.202
Windows: 7 SP1 - 7, 8 RT - 8.1, 10 Mobile, 10 S, 10 Gold, 10 20H2 10.0.19042.572, 10 21H1 10.0.19043.985, 10 21H2 10.0.19044.1288, 10 1507 10.0.10240.16405, 10 1511 10.0.10586.3, 10 1607 10.0.14393.10, 10 1703 10.0.15063.138, 10 1706, 10 1709 10.0.16299.19, 10 1803 10.0.17134.48, 10 1809 10.0.17763.1, 10 1903 10.0.18362.116, 10 1909 10.0.18363.476, 10 2004 10.0.19041.264, 10, 11 21H2 10.0.22000.194, 11
External links
http://twitter.com/nao_sec/status/1530196847679401984
http://twitter.com/Gi7w0rm/status/1530922845253017601
http://twitter.com/buffaloverflow/status/1530866518279565312
http://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.