Zero-day vulnerability in Windows
Permissions, Privileges, and Access Controls
CVE-2022-38028
Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
GooseEgg
Vulnerability details
Advisory: SB2022101229 - Privilege escalation in Microsoft Windows Print Spooler
Vulnerable component: Windows
CVE-ID: CVE-2022-38028
CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
Description:
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in the Windows Print Spooler, which leads to security restrictions bypass and privilege escalation.
Note, the vulnerability is being exploited in the wild since at least June 2020 and possibly as early as April 2019.