CVE-2022-29120 - Understanding the Windows Clustered Shared Volume Information Disclosure Vulnerability

---

Introduction

On May 10, 2022, Microsoft published a security advisory revealing CVE-2022-29120, a significant information disclosure vulnerability affecting Windows Clustered Shared Volumes (CSV). This flaw may not be as well-known as big ransomware exploits, but for organizations running Windows Server clusters, the fix is crucial. Surprisingly, this CVE is distinct from others released nearby, such as CVE-2022-29122, CVE-2022-29123, and CVE-2022-29134, as it specifically affects how the Cluster Shared Volumes service handles files.

This long read will dive deep into what CVE-2022-29120 is, why it matters, how it can be exploited, and what you can do to stay secure. We'll include easy-to-understand code snippets and links for reference.

What is Clustered Shared Volume (CSV)?

Clustered Shared Volume is a Windows Server feature that allows multiple nodes in a failover cluster to concurrently access NTFS or ReFS formatted volumes. CSV is widely used in Windows Hyper-V deployments for live migration and high availability. If there’s a flaw here, many virtual machines (VMs) or storage-driven services could be at risk.

What is CVE-2022-29120?

CVE-2022-29120 is an information disclosure vulnerability in Windows Clustered Shared Volumes. In simple terms, it means an attacker who has gained limited rights on a system might be able to read sensitive files that should be off-limits.

- Attack Vector: Local, authenticated attacker (must have access to a system in the Windows cluster)

Severity: Important (not critical, but serious enough)

- Affected OS: Windows Server 2012/2016/2019/2022

Microsoft's summary:
>An information disclosure vulnerability exists when Windows Cluster Shared Volumes improperly handle file access.
—Microsoft CVE-2022-29120 Security Update Guide

When an application or user requests access to files on a CSV, the system checks permissions.

- Certain edge cases/operations in the CSV driver may skip proper permission checks.
- This lapse allows a user with low privileges (like a regular account) to read or copy files from sensitive areas (system files, data files from other users, etc.) that they shouldn’t be able to touch.

1. Attacker Gets on the Box

The attacker first needs a legitimate, low-privilege account on a cluster node (not remote code execution from the internet).

Using PowerShell, enumerate mounted CSVs

Get-ClusterSharedVolume | Select-Object Name, State, Mountpoint

Sample Output

Name                       State   Mountpoint
Cluster Disk 1             Online   C:\ClusterStorage\Volume1

Using built-in commands, attacker tries to read a sensitive file (for example, SYSTEM hive)

Get-Content "C:\ClusterStorage\Volume1\Windows\System32\config\SYSTEM"

*Note: In normal conditions, this will be blocked unless the attacker has admin rights.*

4. Exploiting the Vulnerability

Abusing the CSV file-handling bug, clever attackers discover an operation that bypasses access checks (details withheld for responsible disclosure). Sometimes, attackers used alternate data streams or symlinks to trick the CSV layer.

Example exploit steps (pseudocode)

# ATTENTION: Only run this in a test environment! 
# This is a theoretical illustration.
# The exact bug trigger is not public, but let's simulate:
$forbiddenPath = "C:\ClusterStorage\Volume1\Users\Administrator\secret.txt"
$copyPath = "C:\Users\Public\stolen.txt"

Copy-Item $forbiddenPath $copyPath

If the bug is unpatched, the copy might succeed, leaking the file. On a patched system, access is denied.

CVE-2022-29120: Strictly about leaking info via CSV file access, not gaining higher privileges.

Each CVE targets a different aspect of Windows Server security. It’s important to patch each one, as attackers often chain bugs.

Microsoft's Patch and Guidance

Microsoft patched this bug in their May 2022 updates.

- Microsoft Security Update Guide for CVE-2022-29120
- May 2022 Cumulative Updates

To stay safe

1. Update all cluster nodes to the latest Windows Server monthly cumulative updates containing the fix for CVE-2022-29120.

Reduce who can log on interactively to any cluster node.

3. Audit access to CSVs using the event log and check for suspicious file reads/writes.

References & Further Reading

- Microsoft Security Response Center — CVE-2022-29120
- Microsoft: How Clustered Shared Volume works
- Tenable Advisory
- NIST NVD - CVE-2022-29120

Conclusion

CVE-2022-29120 may not make headlines, but for Windows Server admins, it's a must-patch. Information disclosure vulnerabilities are often the first step in an attack chain, so don’t wait. Apply Microsoft’s fix, restrict cluster node logon, and audit your infrastructure.

Remember: Protecting dense, shared environments like clusters is about closing every gap—even the ones that "just" leak files.

Stay patched, stay safe!

*This article is original content synthesizing public advisories, security research, and hands-on experience working with Windows Server environments.*

Timeline

Published on: 05/10/2022 21:15:00 UTC
Last modified on: 05/23/2022 17:29:00 UTC