CVE-2022-30190

pfraire · May 31, 2022, 3:16pm

Any updates on CVE-2022-30190 for detection in the Insight Agent?

vanessa_villalpando · May 31, 2022, 3:53pm

Is this already been added to the Database for manual scans as well?

holly_wilsey · May 31, 2022, 8:09pm

Our team is currently working on a vulnerability check for CVE-2022-30190, so I can share more here once it’s fully tested and released.

In the meantime, we’ve got a blog post up here with some more details on this vulnerability. We’ll post additional info there as we have it, as well.

justin_baker · June 1, 2022, 3:07pm

Hi Holly! From the console, I see the check exists - is this the check you’re referring to being worked on or is a separate one being added? Currently shows no instances for me, but I don’t want to have a false sense of security if the check hasn’t been fully implemented yet. Thanks!

holly_wilsey · June 1, 2022, 3:15pm

Hey Justin! Yesterday evening, we pushed a content release for InsightVM that includes our new authenticated check for this CVE. This is the check I was referring to previously, so if you use that in your scans, you should be able to determine whether any instances exist in your environment.

We’ve updated the blog post linked above to note the release of this new check, along with some additional guidance if you happen to also use InsightIDR.

justin_baker · June 1, 2022, 3:20pm

Thanks so much for the quick response, Holly! Just want to verify - will this authN check be covered by the agent or does it require an external, authN scan from a scan engine?

jmpalmer · June 1, 2022, 6:32pm

We have the same question.

kkstoker · June 1, 2022, 7:42pm

Holly would this be covered in the agent scan as well or only in the authenticated scans from the scan engines?

Thanks!

holly_wilsey · June 1, 2022, 7:49pm

This check is available for the Insight agent as well, so you are able to use the agent for detecting this vulnerability.

There’s actually a handy way you can confirm the availability of a vulnerability check in InsightVM. A team member shared this with me and I figured it could be helpful for others.

If you get the ID of a vulnerability by searching the CVE in InsightVM (in this case, it’s msft-cve-2022-30190), you can then:

In InsightVM, go to Administration > Maintenance, Storage and Troubleshooting > Run Security Console Commands
In the textbox, enter show vuln msft-cve-2022-30190
Click Execute

You should get a “response” that states the total number of vulnerability checks available in your instance. If that check does exist, the last column in the table called “Plugin Tags” may also have some additional info that tells you what type of check is available. In this case, if you’re fully up-to-date with the recent content release for CVE-2022-30190, you would see tags for “authenticated” and “agent”, which lets you know that you can perform the check with the agent and with authenticated scans.

vanessa_villalpando · June 1, 2022, 8:29pm

Sooo awesome!

kkstoker · June 1, 2022, 8:31pm

Thank you so much for the help!

justin_baker · June 3, 2022, 6:58pm

Awesome, thank you for this share!

rl2022 · June 7, 2022, 1:44pm

Got a question on this. I see the vuln popping all across the environment, including servers. Yet, the servers don’t have office installed and it seems like IVM is just looking for the status of the registry key and not considering whether or not Office is installed. Am I seeing this wrong or are these just false positives?

vanessa_villalpando · June 7, 2022, 1:58pm

Following…I see this too

kevin_mccabe · June 9, 2022, 11:00am

CVE-2022-30190 is not an Office vulnerability, but a Windows vulnerability.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

Microsoft just use Word as an example on how this can be exploited.

The check is following the vendor guidance, and is likely to change when the vendor guidance changes. But for now, with the official information available, these will be true positives.

rl2022 · June 9, 2022, 11:41am

Understood that it was msdt/Windows. Was trying to get clarification on the attack vector here. If Office was the requirement, then that changes things. Has anyone done a successful POC with Libre Office/Open Office etc yet? Or any other attack vectors for that matter.

kevin_mccabe · June 9, 2022, 12:11pm

The official advisory does not state Office as a requirement, rather an example attack vector.

For more information on the vulnerability, and in depth analysis, check out the write up on AttackerKB CVE-2022-30190 | AttackerKB

vanessa_villalpando · June 9, 2022, 2:07pm

Once the mitigation efforts in place, when does a actual patch(remediation comes out) is there something else that needs to be done?

kevin_mccabe · June 9, 2022, 2:28pm

There is no information about what a patch may or may not entail. Those kind of questions will need to go to Microsoft.

Rapid7 will be following this, and will update the check and guidance as appropriate following any official vendor update.