Warning – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability CVE-2022-30190 (a.k.a. FOLLINA) actively exploited
CVE-2022-30190 (Follina)
Sources
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
Risks
Researchers have identified a zero-day remote code execution vulnerability leveraging the Microsoft Support Diagnostics Tool (MSDT). This vulnerability is actively exploited in the wild.
The arbitrary code runs with the privileges of the current user. An attacker can chain other exploits to gain higher privileges.
The attack can be successful without opening the malicious file. Previewing the file is sufficient.
Description
Microsoft published CVE-2022-30190 to address a remote code execution vulnerability.
Microsoft noted :
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.”
Microsoft published guidance on how to respond to this vulnerability.
Recommended Actions
Update 15-06-2022
Patch (Tuesday june 2022)
Microsoft has released security updates with the June 2022 cumulative Windows Updates to address CVE-2022-30190 (a.k.a. FOLLINA).
Today's updates does not prevent Microsoft Office from automatically loading Windows protocol URI handlers without user interaction. The attack vector is disabled by blocking PowerShell injection.
The CCB urges that organisation to install the updates to be fully protected from the vulnerability.
remark: Organisations whose systems are configured to receive automatic updates are patched automatically.
Workaround
Microsoft suggests removing the “HKEY_CLASSES_ROOT\ms-msdt” registry key to disable the MSDT URL protocol. For scalability use the “HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics” Group Policy to disallow users from running troubleshooting wizards: https://twitter.com/gentilkiwi/status/1531384447219781634
Customers using Microsoft Defender Antivirus “should turn-on cloud-delivered protection and automatic sample submission” and those using Microsoft Defender for Endpoint can enable the attack surface reduction rule that blocks Office apps from creating child processes.
Protected View provides protection against the vulnerability if the calling application is a Microsoft Office Application. Remark: researcher Kevin Beaumont noted that changing a Word document to the Rich Text Format, bypasses the Protected View protection.
Finally, organizations should warn employees not to open unsolicited attachments and, in this case, to not even hover over a downloaded file.