【资讯处-转知】 (ANA事件单通知:TACERT-ANA-2022062203064343)(【漏洞预警】微软支援诊断工具存在安全漏洞(CVE-2022-30190),攻击者可借此远端执行任意程式码,请尽速确认并进行更新)

发布编号:TACERT-ANA-2022062203064343

发布时间:2022-06-22 14:14:44

事故类型:ANA-漏洞预警

发现时间:2022-06-22 15:04:44

影响等级:中

 

[主旨说明:]

【漏洞预警】微软支援诊断工具存在安全漏洞(CVE-2022-30190),攻击者可借此远端执行任意程式码,请尽速确认并进行更新

 

[内容说明:]

 

转发 国家资安资讯分享与分析中心 NISAC-ANA-202206-0978

微软支援诊断工具(Microsoft Support Diagnostic Tool, MSDT)为Windows作业系统用以蒐集装置之诊断资料,并传送给技术支援工程师以解决问题之工具。研究人员发现微软支援诊断工具存在名为Follina之安全漏洞(CVE-2022-30190),攻击者诱骗使用者开启恶意Word档案时,可利用URL协定呼叫微软支援诊断工具以触发此漏洞,进而远端执行任意程式码。

情资分享等级: WHITE(情资内容为可公开揭露之资讯)

 

[影响平台:]

受影响版本如下:

● Windows 7 for 32-bit Systems Service Pack 1

● Windows 7 for x64-based Systems Service Pack 1

● Windows 8.1 for 32-bit systems

● Windows 8.1 for x64-based systems

● Windows RT 8.1

● Windows 10 for 32-bit Systems

● Windows 10 for x64-based Systems

● Windows 10 Version 1607 for 32-bit Systems

● Windows 10 Version 1607 for x64-based Systems

● Windows 10 Version 1809 for 32-bit Systems

● Windows 10 Version 1809 for ARM64-based Systems

● Windows 10 Version 1809 for x64-based Systems

● Windows 10 Version 20H2 for 32-bit Systems

● Windows 10 Version 20H2 for ARM64-based Systems

● Windows 10 Version 20H2 for x64-based Systems

● Windows 10 Version 21H1 for 32-bit Systems

● Windows 10 Version 21H1 for ARM64-based Systems

● Windows 10 Version 21H1 for x64-based Systems

● Windows 10 Version 21H2 for 32-bit Systems

● Windows 10 Version 21H2 for ARM64-based Systems

● Windows 10 Version 21H2 for x64-based Systems

● Windows 11 for ARM64-based Systems

● Windows 11 for x64-based Systems

● Windows Server 2008 R2 for x64-based Systems Service Pack 1

● Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)

● Windows Server 2012

● Windows Server 2012 (Server Core installation)

● Windows Server 2012 R2

● Windows Server 2012 R2(Server Core installation)

● Windows Server 2016

● Windows Server 2016(Server Core installation)

● Windows Server 2019

● Windows Server 2019(Server Core installation)

● Windows Server 2022

● Windows Server 2022(Server Core installation)

● Windows Server, version 20H2(Server Core Installation)

 

[建议措施:]

1.目前微软官方已针对此漏洞释出更新程式,请各机关可联络系统维护厂商或参考以下连结进行更新:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

2.若无法进行更新,可参考微软官方网站采取下列缓解措施,以暂时关闭微软支援诊断工具之URL协定:

    (1)以系统管理员身分开启「命令提示字符」视窗

    (2)执行「reg export HKEY_CLASSES_ROOTms-msdt filename」指令进行机码备份

    (3)执行指令「reg delete HKEY_CLASSES_ROOTms-msdt /f」

    (4)后续安装修补程式后,若要还原机码,请执行「reg import filename」

3.请更新电脑防毒软件病毒码。

4.请留意可疑电子邮件,注意邮件来源正确性,勿随意点击信件连结或开启附件。

5.请加强内部宣导,提升人员资安意识,以防范骇客利用电子邮件进行社交工程攻击。

 

[参考资料:]

1. Office零时差漏洞让骇客执行恶意指令,关闭宏也不见得挡得了

2. 中国骇客已着手开采微软Follina零时差漏洞

3. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

4. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

5. Office 的应用程式防护

(此通报仅在于告知相关资讯,并非为资安事件),如果您对此通报的内容有疑问或有关于此事件的建议,欢迎与我们连络。

教育机构资安通报应变小组

网址:https://info.cert.tanet.edu.tw/

专线电话:07-5250211

网络电话:98400000

E-Mail:service@cert.tanet.edu.tw

编辑