External risk intelligence

Microsoft Windows MSDT Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2022-30190

A vulnerability in Microsoft Windows Support Diagnostic Tool allows remote code execution. Attackers can install programs, alter data, or create accounts with the privileges of the calling application. This presents a business risk of system compromise and data exposure.

1Halo Surface Signal

Remote Code Execution

Microsoft Windows 10 1507

before 10.0.10240.19325before 10.0.14393.5192before 10.0.17763.3046before 10.0.19042.1766before 10.0.19043.1766before 10.0.19044.1766before 10.0.22000.739r2before 10.0.20348.770

External exposure likelihood

Halo Surface Signal score for CVE-2022-30190

This vulnerability requires a user to interact with a specific, malicious file or URL within a local application context, such as opening a document. It is not an internet-facing service, port, or protocol that can be reached directly from the network; rather, it depends on local client-side execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) allows attackers to execute arbitrary code. This flaw arises when MSDT is invoked via a URL protocol from applications like Microsoft Word. Successful exploitation enables an attacker to install programs, manipulate data, or create user accounts with the privileges of the affected application.

  • Vulnerable: Microsoft Windows Support Diagnostic Tool (MSDT)
  • Weakness: Code execution via URL protocol
  • Impact: Arbitrary code execution, data manipulation, new accounts

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to execute arbitrary code by exploiting how a calling application, such as Microsoft Word, uses the Microsoft Support Diagnostic Tool (MSDT) through a URL protocol. If successful, the attacker can install programs, modify or delete data, or create new user accounts, operating with the same permissions as the compromised application. This could lead to a significant compromise of the affected system and organizational data.

  • Exploitation requires the attacker to trick a user into opening a specially crafted document.
  • The attacker exploits MSDT via a URL protocol.
  • Arbitrary code execution and system compromise result.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability within the Microsoft Support Diagnostic Tool (MSDT) could allow an attacker to execute arbitrary code on an affected system. This could enable an attacker to install software, modify or delete data, or create new user accounts, depending on the privileges of the calling application. The exploitation of this vulnerability requires an attacker to trick a user into opening a specially crafted file or link.

  • Low skill attacker can exploit it.
  • Requires user interaction with a malicious file.
  • High business risk due to remote code execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A vulnerability exists when the Microsoft Support Diagnostic Tool (MSDT) is invoked through a URL protocol from applications like Word. Exploitation could allow an attacker to execute arbitrary code with the privileges of the affected application, leading to program installation, data manipulation, or account creation. This could impact systems, data, and introduce business risk.

  • Identify all Windows assets.
  • Disable MSDT or isolate affected systems.
  • Apply vendor fixes and validate.
  • Monitor for related activity.

Frequently asked questions

What is the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability?

A remote code execution vulnerability exists when the Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol from a calling application, such as Word. An attacker could exploit this to run arbitrary code with the privileges of the calling application.

What weakness class does CVE-2022-30190 fall into?

This vulnerability is associated with the weakness class CWE-610, which involves hotlinking. This means the vulnerability exploits how an application references or calls an external resource, in this case, MSDT via a URL protocol.

How can an attacker exploit the MSDT vulnerability, and what is the scope of impact?

An attacker can exploit this vulnerability by tricking a user into opening a specially crafted document or link that invokes MSDT through a URL protocol. Successful exploitation allows the attacker to run arbitrary code with the privileges of the calling application, enabling them to install programs, view, change, or delete data, or create new accounts within the user's granted permissions.

How relevant is the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability?

This vulnerability is highly relevant due to its potential for arbitrary code execution. While it requires user interaction, such as opening a malicious file, the ability to run code with the privileges of the calling application poses a significant risk to systems and data.

What practical steps can be taken to respond to the MSDT vulnerability?

To respond to this vulnerability, organizations should identify all Windows assets, consider disabling MSDT or isolating affected systems if immediate patching is not possible, and apply vendor-provided updates as soon as they are available. It is also crucial to validate that the fixes have been applied and to monitor for any related malicious activity.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified