Detection of CVE-2022-30190?

Mure
Mure Posts: 16 New Member
edited November 2022 in WithSecure Elements Endpoint Detection and Response

Hello!

We've had a question from customers about whether EDR can detect exploitation of CVE-2022-30190. Is this possible? And just looking ahead to the next time we get asked, is there a way to check such things within the UI?

Thanks very much!

Tim

Accepted Answer

  • James Chang
    James Chang Posts: 416 Moderator
    Answer ✓

    Hi Tim,

    I hope I can answer your questions but let me know if I missed out anything


    WithSecure EDR will be able to detect the resulting child processes if this vulnerability is exploited

    Following detections may generate when the vulnerability will be exploited:

    EDR :

    msdt spawned by iexplore - HIGH severity

    office apps spawned msdt - HIGH severity

    sdiagnhost spawned conhost - LOW severity

    office as grandparent process - LOW severity


    We do not have any documentation created nor we are able to distribute POC but you can use publicly available tools to create POC https://github.com/JohnHammond/msdt-follina

Answers

  • James Chang
    James Chang Posts: 416 Moderator

    Hi Tim,

    This is about the MS Doc Follina Vulnerability correct ? I believe our detection team has already fixed this with high priority.

    Regarding your second question, is that separate to the Vulnerability ? If yes, do let me know so I can split it to a new topic.

  • Mure
    Mure Posts: 16 New Member

    Hello!

    Thanks for your quick response. Yes, that's the Follina vulnerability. Very good news if it is indeed detected. Is there a way to be certain? We're liable for anything we tell the customers so kind of need to be sure.

    Also, is there a way for us to check these things for ourselves? What often happens here is that whenever the media notice a vulnerability, we get calls from customers asking if it's detected. It would be great if there were a page/resource where we could search for detected vulnerabilities by CVE or maybe chronological order.

    I'll make the second question a separate post.

    Thanks!

  • Mure
    Mure Posts: 16 New Member

    Thanks very much!

    Tim

  • jaXXXon
    jaXXXon Posts: 1 New Member
    https://community.withsecure.com/discussion/comment/129282#Comment_129282

    Hello, does this mean, that F-Secure Client Security is not able to detect this vulnerability?

    THX

  • James Chang
    James Chang Posts: 416 Moderator

    Hi,

    Client Security and Elements Endpoint Protection products can detect the Follina vulnerability through DeepGuard with detection Exploit:W32/Follina.A!DeepGuard

This discussion has been closed.

Categories