1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2022-21974, is a Remote Code Execution (RCE) flaw affecting Microsoft's Roaming Security Rights Management Services. It matters significantly because a successful exploitation allows an attacker to execute arbitrary code on a vulnerable system with the privileges of the affected service. This can lead to a full system compromise, enabling data theft, system modification, or further network penetration. The vulnerability typically requires user interaction, such as opening a specially crafted malicious file, making it a critical threat for user-facing systems.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS v3.1 base score for CVE-2022-21974 is 7.8, which is classified as a High severity vulnerability. The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability was initially published on February 9 or 10, 2022. It was last updated on November 21, 2024.

3. Which products, vendors, systems, and versions are affected?

The vulnerability affects Microsoft's Roaming Security Rights Management Services (RMS). Specifically, affected versions include Microsoft Windows systems where RMS is present, such as Windows Server 2019 versions prior to 10.0.17763.2565.

4. What is the technical root cause and attack vector?

The technical root cause of CVE-2022-21974 is an uninitialized pointer free within the `RMSRoamingSecurity!ATL::CComCreator>::CreateInstance` constructor. This constructor allocates and initializes a `CRmsRoamingSecurity` object, but it fails to fully initialize its state. As a result, an uninitialized pointer located at offset 0x3458 is later freed when the destructor `CRmsRoamingSecurity::_Cleanup` is invoked. The primary attack vector for this vulnerability is user-assisted. Exploitation typically involves a user being tricked into opening a specially crafted malicious Rich Text Format (RTF) file in Microsoft Word or a similar application that processes RTF files and interacts with Roaming Security Rights Management Services.

5. How can this vulnerability be exploited?

This vulnerability can be exploited by an attacker who crafts a malicious Rich Text Format (RTF) file. When a user opens this file, for example, in Microsoft Word, it can trigger the uninitialized pointer free flaw in the Roaming Security Rights Management Services, leading to remote code execution. Proof-of-concept (PoC) code for this vulnerability has been published. Active exploits have also been published to leverage this vulnerability.

6. What mitigation steps and patches are available?

The primary mitigation step is to apply the security updates released by Microsoft. Microsoft issued a patch for CVE-2022-21974 as part of its February 2022 Patch Tuesday updates. Organizations are advised to update affected systems to the fixed versions provided by the vendor.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected through security scanning tools and vulnerability management platforms. For instance, Tenable provides specific plugins and audits designed to identify systems affected by CVE-2022-21974. Regular patching and system audits are essential for maintaining awareness of system vulnerability status.

8. What are the indicators of compromise (IOCs)?

The provided CVE data and search results do not explicitly detail specific indicators of compromise (IOCs) for CVE-2022-21974. However, typical IOCs for RCE vulnerabilities exploited via malicious documents could include unusual process creation, network connections to unknown external hosts, unexpected file modifications, or the presence of suspicious files.

9. Which threat actors are known to exploit this vulnerability?

While the user prompt indicates that active exploits have been published for this vulnerability, the provided search results do not explicitly name any specific threat actors or groups known to exploit CVE-2022-21974.

10. What public intelligence references and advisories exist?

Public intelligence references and advisories for CVE-2022-21974 include:

• Microsoft Security Response Center (MSRC) Update Guide for CVE-2022-21974.
• National Vulnerability Database (NVD) entry for CVE-2022-21974.
• Tenable's vulnerability information for CVE-2022-21974.
• GitHub repositories containing Proof-of-Concept (PoC) code for CVE-2022-21974.
• EchelonGraph's summary and analysis of CVE-2022-21974.

11. What is the risk assessment and urgency level?

The risk level for CVE-2022-21974 is assessed as High, primarily due to its CVSS v3.1 score of 7.8 and the fact that it enables Remote Code Execution (RCE). The ability for an attacker to execute arbitrary code on a vulnerable system makes this a severe vulnerability. The urgency level is also High because active exploits have been published, increasing the likelihood of successful attacks. Although it was not initially observed in-the-wild at the time of its disclosure, the existence of public exploit code significantly elevates the immediate threat. The Exploit Prediction Scoring System (EPSS) for this CVE is 0.08342, placing it in the 92.6 percentile, indicating a high probability of exploitation within the next 30 days. Organizations should prioritize patching this vulnerability immediately.