Home / About / Threat Intelligence / Windows service tampering vulnerability proof-of-concept code released

Overview

Security researchers at Akamai have released a proof-of-concept (POC) exploit for a vulnerability which is being tracked under CVE-2022-30216.

CVE-2022-30216 – A vulnerability exists which allows a malicious actor to perform server spoofing or trigger authentication coercion on affected systems. The vulnerability resides in the newly implemented Server Service (srvsvc) which has been released in the latest versions of Windows 11 and Windows Server 2022. Srvsvc is a native Windows service which manages SMB shares through remote procedure calls (RPC) over named pipes. In the latest versions of Windows, Microsoft has added support for SMB over the QUIC protocol, which verifies the identity of servers utilising the server’s certificate and utilises the srvsvc service for certificate management. The exploit targets a flaw found within the implementation of srvsvc that does not cover all the available functions adequately and allows for a malicious actor to connect to the remote RPC client and modify the configurations of certificate mappings on the server.

To perform the attack, the POC code combines a New Technology LAN Manager (NTLM) relay attack against the Active Directory Certificate Services (AD CS) server.

Impact

Successful exploitation of this vulnerability would allow an authenticated malicious actor to perform remote code execution (RCE) against a targeted domain controller. CVE-2022-30216 has been assigned a CVSS score of 8.8.

Vulnerability Detection

Windows 11 and Windows Server 2022 devices which are missing one of the respective patches:

• KB5015814

• KB5015807

• KB5015827

Affected Products

Microsoft Windows Server 2022 Microsoft Windows 11

Containment, Mitigations & Remediations

Microsoft has released the following patches for remediation against this vulnerability:

• KB5015814

• KB5015807

• KB5015827

Indicators of Compromise

There are currently no indicators of compromise which have been released as part of this exploit.

Threat Landscape

Microsoft Windows systems hold a large share of the personal computing and server markets. Vulnerabilities which may be present within these systems should be addressed at the earliest possible point. The release of a POC exploit for this vulnerability will likely cause an increase in attacks which utilise this vulnerability as a mechanism for lateral movement within a Windows domain environment.

Mitre Methodologies

T1587.003 – Digital Certificates

T1203 – Exploitation for Client Execution

T1187 – Forced Authentication

Further Information

Microsoft Security Bulletin for CVE-2022-30216

Akamai research blog

Proof of Concept code

CVE-2022-30216

Windows support for SMB over QUIC