Detection of CVE-2022-30190?
We've had a question from customers about whether EDR can detect exploitation of CVE-2022-30190. Is this possible? And just looking ahead to the next time we get asked, is there a way to check such things within the UI?
Thanks very much!
I hope I can answer your questions but let me know if I missed out anything
WithSecure EDR will be able to detect the resulting child processes if this vulnerability is exploited
Following detections may generate when the vulnerability will be exploited:
msdt spawned by iexplore - HIGH severity
office apps spawned msdt - HIGH severity
sdiagnhost spawned conhost - LOW severity
office as grandparent process - LOW severity
We do not have any documentation created nor we are able to distribute POC but you can use publicly available tools to create POC https://github.com/JohnHammond/msdt-follina1
This is about the MS Doc Follina Vulnerability correct ? I believe our detection team has already fixed this with high priority.
Regarding your second question, is that separate to the Vulnerability ? If yes, do let me know so I can split it to a new topic.1
Thanks for your quick response. Yes, that's the Follina vulnerability. Very good news if it is indeed detected. Is there a way to be certain? We're liable for anything we tell the customers so kind of need to be sure.
Also, is there a way for us to check these things for ourselves? What often happens here is that whenever the media notice a vulnerability, we get calls from customers asking if it's detected. It would be great if there were a page/resource where we could search for detected vulnerabilities by CVE or maybe chronological order.
I'll make the second question a separate post.
Thanks very much!
Hello, does this mean, that F-Secure Client Security is not able to detect this vulnerability?
Client Security and Elements Endpoint Protection products can detect the Follina vulnerability through DeepGuard with detection Exploit:W32/Follina.A!DeepGuard1