---
What’s CVE-2022-30148?
CVE-2022-30148 is a security vulnerability in Windows Desired State Configuration (DSC) that lets low-privilege users obtain sensitive information they shouldn’t have access to. Usually, DSC helps admins set up servers exactly the right way—think of it like a checklist for Windows configurations. But due to this vulnerability, some of that checklist—possibly including secrets like credentials—can leak to prying eyes.
Official summary:
> Windows DSC Information Disclosure Vulnerability.
> Microsoft Security Advisory
Why Does This Happen?
The issue appears because DSC could store or log sensitive data (like plaintext credentials) in files with overly-broad permissions. DSC runs as ‘SYSTEM’ and generates output/status files in a place that some regular users could read.
Exploit Details (How Could It Leak?)
Suppose you have a node in your network with DSC configured. When processing a configuration like this:
Configuration SampleDSC {
Import-DscResource -ModuleName 'PSDesiredStateConfiguration'
Node 'localhost' {
File SecretFile {
DestinationPath = 'C:\Secrets\important.txt'
Contents = 'superSecretPassword123!'
}
}
}
SampleDSC
Start-DscConfiguration -Path .\SampleDSC -Wait -Verbose
Sometimes, the logs or status reports written by DSC include the Contents value. If these logs are saved in a world-readable directory (for example, under C:\Windows\System32\Configuration\ConfigurationStatus\), a regular user could just read them and find the sensitive string.
How Bad Is It?
Information Disclosure vulnerabilities don't directly let attackers run code or take over the box, but leakage of secrets can be a stepping-stone for bigger hacks.
Could let regular users get deployment details, connection strings, or plaintext passwords.
- Applies to both on-prem and cloud/deployed systems using DSC.
Mitigation & Fix
Microsoft patched this in their June 2022 Patch Tuesday.
See: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30148
Patch your Windows installations immediately.
- Review your DSC configurations—never store passwords in plaintext, use the PsDscRunAsCredential property for credential handling.
C:\Windows\System32\Configuration\ConfigurationStatus
- Clean up old/orphaned DSC log files after patching.
Real-World Example Walkthrough
Suppose an attacker has a standard user account (“user123”). After DSC applies a configuration, they check the logs:
cd C:\Windows\System32\Configuration\ConfigurationStatus
type some-guid.details.json
Inside, they spot
{
"resource": "File",
"destinationPath": "C:\\Secrets\\important.txt",
"contents": "superSecretPassword123!"
}
Microsoft Advisory:
CVE-2022-30148 - Windows DSC Info Disclosure
Deep dive write-up:
HackTricks: Windows DSC Vulnerabilities
Community PoC:
GitHub Discussion: DSC File Leakage
TL;DR
CVE-2022-30148 is a bug in Windows that could leak sensitive info to regular users through DSC status files. To stay safe, patch now, double-check your saved secrets, and lock down log file permissions.
Timeline
Published on: 06/15/2022 22:15:00 UTC
Last modified on: 06/27/2022 16:52:00 UTC