CVE-2022-30190 – Zero-Day ‘Follina’ Bug Lays Microsoft Office Open to RCE Attack
A remote code execution vulnerability is found in the MSDT (Microsoft Support Diagnostic Tool). This is found via the URL protocol, such as, from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data. Or worse yet, to create new accounts in the context allowed by the user’s rights. Security researcher Kevin Beaumont found that attackers open “the document uses the Word remote template feature to retrieve a HTML file from a remote web server. In turn, the ‘ms-msdt’ MSProtocol URI scheme loads relevant codes and execute PowerShell.”
CTRL recommend patching the systems once the patch is available. For a quick workaround:
Disable the MSDT URL Protocol. Steps to enable this can be found here.
Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These artificial intelligence features can rapidly identify and stop threats.
Customers of Microsoft Defender for Endpoint can enable the attack surface reduction rule. The “BlockOfficeCreateProcessRule” blocks Office apps from creating child processes.
Disable the Preview pane in Windows Explorer to also remove this attack vector.
Users can follow Microsoft Attack Surface Reduction measures to mitigate risk, in lieu of a patch.
Organisations should warn their employees. Employees are not to open any unknown email with any attachments, and to not click on any links.
April’s VMware Bugs Abused in The Wild
A GitHub proof-of-concept exploitation is being abused by adversaries in the wild. The recently reported VMware bugs (CVE-2022-22954 and CVE-2022-22960) are being used by hackers. These are speared at the ‘Mirai denial-of-service malware’ and the ‘Log4Shell’ vulnerability.
CVE-2022-22954 – CVSS score of 9.8. The bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.
CVE-2022-22960 – CVSS score 7.8. It is a local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation.
After the bug was disclosed by VMware in April, a proof-of-concept (PoC) was released on Github and shared via Twitter. Barracuda researchers started seeing probes and exploit attempts for this vulnerability soon after. The majority of the traffic originates from US, the UK and Russian IPs. Further, most of the traffic is probes rather than actual exploit attempts.
CTRL Group’s NIDS capability could detect these attempts. Our team recommends immediate patching as the best way to protect the systems. This can be found here. It is also advised to place such systems behind a Web application firewall (WAF). A WAF increases protection against zero-day attacks and other vulnerabilities, including Log4Shell.
No-fix Privilege Escalation Vulnerability in Active Directory
A new tool by the name of “KrbRelayUp” has been released by a security researcher. The tool allows users to take advantage of an un-fixable security issue within Active Directory. Via this vulnerability, attackers may escalate their privileges in Windows domains to a “SYSTEM superuser”. This exploit begins when Active Directory has default settings applied. There is a flaw that ‘negates the whole concept of user privileges in the local machine’. In other words, this can allow any locally logged in user to escalate their privileges on the local machine.
CTRL recommend enforcing Lightweight Directory Access Protocol (LDAP) signing and binding for Windows domains to block this attack. As well, the creator of this tool has published mitigation techniques on github for this exploit. CTRL Group have implemented relevant detection rules.
SonicWall Patches New Flaws
Three Security Flaws have been published in a security warning advisory by SonicWall that affects its Secure Mobile Access 1000 appliances. One of these flaws includes a high-severity authentication bypass vulnerability. Products that are impacted by these flaws include SMA 6200, 6210, 7200, 7210, 8000v running the firmware versions 12.4.0 and 12.4.1. If successfully exploited, these vulnerabilities may lead to a threat actor gaining unauthorized access to internal resources. Potentially, this may lead to redirecting victims to malicious websites. (See Vulnerability list below):
CVE-2022-22282 (CVSS score: 8.2) – Unauthenticated Access Control Bypass
CVE-2022-1702 (CVSS score: 6.1) – URL redirection to an untrusted site (open redirection)
CVE-2022-1701 (CVSS score: 5.7) – Use of a shared and hard-coded cryptographic key
Currently, there is no temporary mitigation for these exploits. SonicWall has urged affected customers to put in place applicable patches as soon as possible”. This can be done by going to the following link and looking for the “Fixed Firmware” column for further details to update to the latest versions. Notably, the flaws do not affect any SMA 1000 series devices running versions earlier than 12.4.0, SMA 100 series, Central Management Servers and remote-access clients.