As of 27 May 2022, researchers have been publishing details on how Windows protocol handlers can be abused for malicious purposes by referencing specially crafted Uniform Resource Locators (URLs) . These issues affect all client and server versions of the Windows operating system, and there is no fix available at the time of reporting. Microsoft’s advisory provides some mitigation measures to prevent the exploitation of vulnerable systems.
On 30 May 2022, Microsoft released an advisory for a Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) vulnerability, tracked as CVE-2022-30190. Prior to this, several researchers published proof-of-concept code for remote execution, referring to the issue as “Follina”.
MSDT is a utility used to troubleshoot and collect diagnostic data for analysis by Microsoft Support. According to Microsoft’s documentation, MSDT “invokes a troubleshooting pack at the command line or as part of an automated script and enables additional options without user input.”
Threat actors have been leveraging the MS- MSDT scheme to remotely execute arbitrary code on systems running various versions of Windows. The flaw abuses a Microsoft Office remote template feature to retrieve a HyperText Markup Language (HTML) file, which then uses MSDT to execute PowerShell code.
This technique can potentially be used with any application supporting MS Protocols. Researchers noted that Office, Outlook, and .lnk files have already been used in exploitation. A malicious actor requires minimal victim interaction and can achieve code execution when a calling application (an email or a document) is opened. They can then install programs, view, change, delete data, or create new accounts using the privileges of the calling application.
On 1 June 2022, researchers reported another similar abuse method leveraging a URI protocol handler called SEARCH-MS, which is a Windows Saved Search file that enables applications and HTML links to search through the Windows operating system. The exploit combines a Microsoft Office OLEObject flaw with the protocol handler functionality issue to open a remote Search window simply by opening a Word document, leading to a Location Path Spoofing vulnerability.
By leveraging this method, a threat actor could force Windows Search to query file shares on remote hosts and use a custom title for the search window. When a user opens a Word document, it will automatically launch a SEARCH-MS command to open a Windows Search window. A threat actor could rename the executable to lure a victim into inadvertently installing the malware, e.g. “Security Update”, or include the SEARCH-MS URI in a phishing email. This second vulnerability is harder to exploit than the first one, as it requires more interaction from a victim user, who would have to open a document and click/run an executable.
Microsoft notes that Protected View and Application Guard for Office will alert users when a document is potentially malicious. However, when a Rich Text Format file (.rtf) is used, the code can run without opening the document, via the Preview Pane in Windows Explorer, if enabled.
Microsoft acknowledged the issue in its guidance for CVE-2022-30190 and is expected to fix the flaws in the protocol handlers and their underlying Windows features in an upcoming update. The company did not provide a date for the expected fix.
Clients with active blocking enabled in their Covalence monitoring are protected from this threat. Covalence continuously monitors the activity of Microsoft Office productivity software that may be susceptible to malicious documents or email attachments. Covalence detection for malicious PowerShell abuse via these protocol handlers was also in place prior to the May 2022 reports. Additionally, our teams have been applying the latest indicators of compromise and have added rules to detect and block additional aspects of this threat to ensure our clients and partners are robustly protected.
We recommend following Microsoft’s mitigation advice in the advisory referenced below. It requires disabling the MSDT URL protocol used to execute code on vulnerable systems, which can be done via Windows Group Policy Object (GPO).
We also recommend deleting the SEARCH-MS protocol handler from the Windows Registry, after you back up the registry key. The details on the mitigations are in the References section below.
Consider adding Attack Surface Reduction (ASR) rule: Block Office Application from Creating Child Processes. We recommend testing the rule in Audit mode before enabling it as it will allow you to evaluate how the ASR rule would impact your organization. See the references below for guidance on how to enable the rule.
Consider disabling the Preview Pane in File Explorer by clicking on View Tab and clicking on Preview Pane to hide it.
On 10 May 2022, Microsoft released updates to address 75 vulnerabilities; eight were classified as critical, three were publicly disclosed, and one of them is being exploited. We recommend applying the latest updates as soon as possible.
Microsoft noted that threat actors are exploiting a publicly disclosed flaw tracked as CVE-2022-26925. This vulnerability affects Local Security Authority (LSA), a process in Microsoft Windows responsible for enforcing the security policy on the system. An unauthenticated threat actor could call a method on the LSA Remote Procedure Call (RPC) interface and force a domain controller to authenticate using Windows New Technology LAN Manager (NTLM).
Microsoft rated this flaw as “important” and assigned a CVSS risk score of 8.1 out f 10. However, when paired with an NTLM Relay Attack on Active Directory Certificate Services (AD CS), it could lead to Remote Code Execution (RCE); Microsoft assessed that the CVSS score would then increase to 9.8.
This vulnerability affects all servers, but domain controllers should be prioritized when applying security updates.
The most notable of the vulnerabilities that were labelled as critical include:
- CVE-2022-26937 – an RCE in Windows Network File System (NFS), a non-default Windows component. Unauthenticated threat actors could use it to execute code in the context of the service on systems running NFS versions prior to 4.1. CVSS: 9.8
- CVE-2022-22012 and CVE-2022-29130 are both RCE flaws in Windows Lightweight Directory Access Protocol (LDAP) requiring a non-default configuration. The MaxReceiveBuffer LDAP policy has to be set to a value higher than the default value in order for it to be exploitable. CVSS: 9.8
- CVE-2022-21972 and CVE-2022-23270 are both RCE vulnerabilities in a Point-to-Point Tunneling protocol affecting Windows OS and Server. Successful exploitation requires a malicious party to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS) server, which could lead to RCE on the RAS server machine. CVSS: 8.1
- CVE-2022-26923 is a privilege escalation vulnerability in the Active Directory (AD) Domain Server. An issue with certificate issuance could be exploited to authenticate to a domain controller with a high level of privilege. A domain-authenticated user able to include crafted data in a certificate request can become a domain admin if AD Certificate Services are running on the domain. CVSS: 8.8
Publicly Disclosed Vulnerabilities
Two of the vulnerabilities fixed this month have public details available, which increases the likelihood of them being leveraged by threat actors.
- CVE-2022-22713 is a Denial-of-Service vulnerability in Windows Hyper-V on Windows 10 on X64-based systems and Windows Server 2019. Hyper-V (Viridian) is a technology that allows users to create virtual computer environments. Microsoft rated the flaw as “Important” and assigned a CVSS risk score of 5.6. Exploitation requires prior authentication and manipulation with an unknown input.
- On 9 May, Microsoft released an advisory on a publicly disclosed vulnerability affecting Azure Data Factory and Azure Synapse Pipelines through a third-party Open Database Connectivity (ODBC) driver. The vulnerability, tracked as CVE-2022-29972, could allow remote commands across Integration Runtimes (IR) infrastructure – a compute infrastructure that provides data integration capabilities across network environments.
- Threat actors could use the vulnerability to access and control other customers’ workspaces; this may include access to sensitive data, such as Azure service keys, API tokens, and passwords to other services. CVSS: 8.1.
- Azure Data Factory or Azure Synapse pipeline customers hosted in the Azure cloud (Azure Integration Runtime) do not need to take any action. The same is true for those who host on-premises (Self-Hosted Integration Runtime) with auto-updates turned on. However, customers using Azure Data Factory with Self-hosted IRs (SHIRs) with no auto-update need to download the latest version (5.17.8154.2) from Microsoft’s Download Center.
We recommend timely patching of the Microsoft vulnerabilities noted as critical and publicly disclosed in order to decrease the likelihood of exploitation.
Microsoft has reported authentication failures after installing the updates on servers used as domain controllers; testing should be conducted prior to patching. We recommend consulting the Known Issues and Microsoft Support Document referenced below prior to applying the updates.
In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.
During March and April 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) added two Windows Print Spooler vulnerabilities to its Known Exploited Vulnerabilities Catalog. We recommend applying the updates and mitigations for all affected systems immediately.
Both Print Spooler vulnerabilities are high-severity and were released on 8 February 2022. The first, tracked as CVE-2022-21999 and known as “SpoolFool“, allows a threat actor to execute arbitrary code with SYSTEM privileges on a vulnerable system. The SpoolFool vulnerability can be used to trick the Print Spooler service to write an arbitrary file in a system folder by using symbolic links. This allows a threat actor to install programs; view, change, or delete data; or create new accounts with administrator rights. The vulnerability is rated with a Common Vulnerability Scoring System 3.1 (CVSS) rating of 7.8, and details on the vulnerability are
The second vulnerability, tracked as CVE-2022-22718, can be leveraged to achieve code execution as SYSTEM. It impacts all versions of Windows missing the February 2022 updates. Microsoft noted that threat actors can exploit it locally in low-complexity attacks without user interaction. The vulnerability is also rated with a CVSS rating of 7.8
We recommend applying Microsoft’s February security update, that addresses these vulnerabilities, as soon as possible.
To apply updates users should go to Settings > Windows Update > Check for Updates. A system restart will be required to complete the update.
In late March 2022, open-source reporting indicated that threat actors have been targeting a critical vulnerability in Spring applications. We recommend following the mitigation steps below and immediately updating all vulnerable versions of these Spring products.
On 31 March 2022, Spring released an update to fix a critical vulnerability in the Spring Core Java framework. The vulnerability is tracked as CVE-2022-22965 and is known as “SpringShell” or “Spring4Shell”. It is rated with a maximum Base CVSS Score of 10 and affects Spring MVC and Spring WebFlux applications running on Java 9 or greater. The flaw is however only exploitable under specific conditions.
Spring is both a framework and a library. Depending on how it is used, exploitation may require prior authentication to the application. In some non-default configurations of the Spring applications, a threat actor could obtain Remote Code Execution (RCE) by sending a specially crafted request to a vulnerable system. According to 31 March information, for a system to be vulnerable it must be internet-facing and meet the following conditions:
- Use Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
- Use Java Development Kit (JDK) version 9 or higher
- Run Apache Tomcat as the Servlet container that is packaged as a traditional Web Archive (WAR) (versus a Spring Boot executable jar)
- Have a dependency on Spring Web MVC or Spring WebFlux
Late March 2022 reporting indicates that the application is not vulnerable if it is deployed in the default configuration, such as a Spring Boot executable jar. Researchers have published proof-of-concept code for exploiting this vulnerability, and reports have emerged that threat actors are scanning the internet to locate vulnerable hosts.
Field Effect Posture
Field Effect has completed an internal review and its products are not vulnerable to this issue. As the situation evolves, Covalence will continue to alert you to the presence of potentially impacted software in your environment. Our teams are working on applying the latest indicators of compromise and detecting any exploitation attempts to ensure our clients and partners are protected from this threat.
We strongly advise that you review the list of conditions provided above to determine if your systems are vulnerable.
We recommend following Spring’s advice and immediately updating the affected software to the latest release.
If you are unable to apply the updates immediately, follow Spring’s Mitigation Alternative advice.
We also recommend monitoring Field Effect Security Intelligence blog updates for any developments regarding the vulnerability.
On 25 March 2022, Google released Chrome 99.0.4844.84 for Windows, Mac, and Linux to address a flaw that is being actively exploited by threat actors. We recommend updating to the latest browser version as soon as possible.
The vulnerability, noted in CVE-2022-1096, received a high-severity rating. It is known as a type confusion weakness. A threat actor could leverage this flaw to perform out-of-bounds memory access, inject and execute arbitrary code.
Browser versions vulnerable to the aforementioned flaw could be exploited, hence increasing your network’s threat surface. The latest versions of Chrome, Edge and Brave are being released worldwide and can be deployed through automatic or manual updates.
We recommend that Windows, Mac, and Linux desktop users of Chrome and Chromium-based browsers manually upgrade now to the latest version by going to Settings -> Help -> About.
The web browser will then automatically check for the new update and install it if available.
We recommend notifying users of this risk and requesting that they restart their browser to ensure the needed security patches are applied.
If software is managed centrally within your organization, we recommend updating this software as soon as possible.