CVE-2022-30140: Windows iSCSI Discovery Service Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Jun

Released

2022-06-14

Last Updated

2022-09-20

EPSS Score

2.18% (percentile: 84.3%)

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Successful exploitation of this vulnerability requires a user to place a call to trigger the vulnerability. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.

Affected Products (39)

Windows

• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 1809 for ARM64-based Systems
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows 10 Version 21H1 for x64-based Systems
• Windows 10 Version 21H1 for ARM64-based Systems
• Windows 10 Version 21H1 for 32-bit Systems
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows 10 Version 20H2 for 32-bit Systems
• Windows 10 Version 20H2 for ARM64-based Systems
• Windows Server, version 20H2 (Server Core Installation)
• Windows 11 version 21H2 for x64-based Systems
• Windows 11 version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 10 for 32-bit Systems
• Windows 10 for x64-based Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows 8.1 for 32-bit systems
• Windows 8.1 for x64-based systems
• Windows RT 8.1

ESU

• Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems Service Pack 1
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (14)

• 5014692
• 5014699
• 5014678
• 5014697
• 5014710
• 5014702
• 5014748
• 5014742
• 5014738
• 5014746
• 5014752
• 5014743
• 5014747
• 5014741

Acknowledgments

<a href="https://twitter.com/arudd1ck">Andrew Ruddick</a> with Microsoft Security Response Center, <a href=https://twitter.com/ecthr0s>George Hughey</a> with Microsoft Security Response Center

Revision History

• 2022-06-14: Information published.
• 2022-09-20: Updated one or more CVSS scores for the affected products. This is an informational change only.