Forum Discussion
Zero Click Zero Day in Microsoft Support Diagnostic Tool...
Zero Click Zero Day in Microsoft Support Diagnostic Tool Exploited in the Wild (CVE-2022-30190)
On May 30, Microsoft released an advisory for a zero-day in the Microsoft Windows Support Diagnostic Tool (MSDT) that has been exploited in the wild and gained considerable researcher attention over the weekend.
CVE-2022-30190 is a remote code execution vulnerability in MSDT that impacts several versions of Microsoft Office, including patched versions of Office 2019 and 2021. An attacker would craft a malicious document, Microsoft Word is common, and send it to their target via email. By exploiting this vulnerability, an attacker can execute commands with the permissions of the application used to open the malicious document. Researchers have found that this vulnerability can be exploited without user interaction. Microsoft has published a workaround and detection information, but no patches as of May 31.
For more information, please visit our blog post.
18 Replies
Does the plugin only look for the MS mitigation? OR will it take into account the GPO proposed mitigation as well?
We have 2016 servers not being detected as vulnerable, but our 2019 ones are. Can anyone tell the difference in detection? It did show 2016 Server as impacted, so wondering why they are not picked up by the scan.
Detection of the GPO-based mitigations would be VERY helpful -- see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ScriptedDiagnostics::ScriptedDiagnosticsExecutionPolicy
For whatever reason Microsoft has documented in it's blog two GPO settings that _DON'T_ work, but ignored the one that does.
It would be ideal if plugin 161691 could see check all of the corresponding reg keys for each mitigation -- (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\EnableDiagnostics = 0)
I agree with Paul. We have been applying the GPO fix detailed at doublepulsar.com which involves disabling the following .Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”
I would ask that Tenable add this detection to the plugin to indicate the workaround is in place. Otherwise i am going to have to start marking false positives across the estate.
Recommend you read the Microsoft post on this, as they list those GPO workarounds as NOT mitigating the issue:
Thank you for that information, however that is not the GPO I was referring to. Instead it is the one mentioned here: Message from SentinelOne
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics - EnableDiagnostics - 0
When will Tenable update Plugin 161691 to stop looking for the workaround if the June CU is installed? As the June CU remediateds the issue, so the workaround is not needed.
@Claire Tills Not sure if you're seen this Claire? MS have provided a fix, yet the plugin is still reporting machines with the patch as vulnerable. Do you know when it will be updated?
Thanks.
Yes even applying updates showing server has vulnerable. do we need to apply Fix and also apply update
Microsoft CVE-2022-30190 Patch and Workaround Plugin Advisement (tenable.com)
That states that Tenable is changing plugin 161691 from "High" to "Informational". Article is dated 6/17/2022 but yet as of today (6/21/2022) the plugin is still High.
We are also getting this plugin as high in our daily scans.
Any idea when this would be downgraded to informational ?
Thanks
Hi @Suraj Thakur , the number of assets with this High vulnerability in our environment began reducing yesterday. It appears a scan of each asset is required to adjust the severity rating of the plugin.
We are seeing the same -- a new scan is required for an asset to show the plugin as an Info. Currently we have some assets showing Critical (last scanned ~6/2), some High (last scanned ~6/19) and now Info (last scanned 6/23).
In the Vulnerabilities screen filtered by plugin, the output line shows Severity Info, VPR 9.5, CVSS 0.
Meanwhile the plugin details screen at the Vulnerabilities>Vulnerability Details level still shows Severity Critical, CVSS 10.0, but no VPR score.
Plugin Set: 202206231847
I see the plugin on plugins.tenable.com is now showing as Informational, but in IO it's still showing as High. I wonder when IO will be updated to reflect the change...
This has now changed to Informational in IO for us.
