Security researchers bell alarm on a zero-day remote code execution vulnerability in Microsoft products. The group also said that the flaw is found to be actively exploited in the wild. The flaw that is tracked as CVE-2022-30190 is a zero-click RCE vulnerability in MSDT that allows attackers to run arbitrary code to install programs, view, change, delete data, or even create new accounts on the victim machines. All these aspects have made this flaw more concerned. It is important for all Windows users to know about this zero-click RCE vulnerability in MSDT and fix it as soon as possible. Let’s see how to fix CVE-2022-30190, a zero-click RCE vulnerability in MSDT, in this post.
About Microsoft Support Diagnostic Tool (MSDT):
Microsoft Support Diagnostics Tool, also known as Microsoft Automated Troubleshooting Services or MATS, is a Microsoft Windows tool designed to automatically collect Microsoft product problem information and assist Microsoft in diagnosing and resolving problems. MSDT helps Microsoft engineers troubleshoot problems with Microsoft products by collecting information about software and hardware configuration, settings, and usage.
Summary Of CVE-2022-30190:
This is a zero-click RCE vulnerability in MSDT. The flaw exists in ‘MSDT URL protocol’. Attackers can exploit this flaw just by calling MSDT using the URL protocol from a Microsoft Office application such as Word. Successful exploitation of this flaw allows attackers to run arbitrary code with the privileges of the calling application. The attacker can further use this vulnerability to install programs, view, change, delete data, or even create new accounts on the Windows machines. Huntress has published a detailed technical analysis of this flaw in its blog. Please go through it if you are querulous to know about the technical details.
To tell how it was a catch, on May 27th, 2022, a security research team known as Nao_sec found an old word doc file uploaded to VirusTotal from a Belarus IP. Upon investigating the Word doc file, the team found that it was a maldoc that uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code. Here is the tweet from Nao_sec.
Two days later, a cybersecurity researcher, Kevin Beaumont, who dubbed the flaw “Follina,” confirmed that EDR tools failed to detect the maldoc in his tweet.
| Associated CVE ID | CVE-2022-30190 |
| Description | A Zero-Click RCE Vulnerability in MSDT |
| Associated ZDI ID | – |
| CVSS Score | 7.8 High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | Required |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Products Vulnerable To Follina, CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT:
Researchers Kevin Beaumont wrote in his Medium post that he successfully tested the flaw on a Windows 10 machine with fully disabled macros and enabled Defender. This clearly shows that this flaw is exploitable on all versions of Windows and Office 365 using .RTF files.
Kevin also wrote that the flaw was successfully tested on Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365 products. Please see the tweet from Rich Warren that shows a working flaw on Windows 11 with Office Pro Plus.
In support of that, there is a video clip shared by Didier Stevens that clarifies the flaw can be exploited on a patched version of Microsoft Office 2021.PoC Created by Didier Stevens
How To Detect Your Windows Is Compromised To Follina Attack?
Well, it is not that difficult to determine if your machine is compromised by the Follina attack. If you see a child process of msdt.exe underneath the Microsoft Office process, then your machine could be compromised. Please refer to the technical analysis published by Huntress for more details.
How To Mitigate CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT?
Microsoft has acknowledged the vulnerability but has yet to release the package. Please track the status of the patches here.
Until there is a patch, you can apply these mitigation techniques to minimize the attack surface.
Block all Office applications from creating child processes on EDR/EndPoint tools. This prevents the creation of msdt.exe as a child process and blocks the exploitation. If your leadership team has concerns about implementing this block, then run the rule in Audit mode for a week or so. Once there is no impact seen, push the rule for production.
Prevent the malware execution by removin#” target=”_blank” rel=”noreferrer noopener”>HKCR:ms-msdt registry as shone in the tweet.
FYI: pic.twitter.com/t3ORRGaAnD— Didier Stevens (@DidierStevens) May 29, 2022
How to Mitigate CVE-2022-30190 by disabling the MSDT URL Protocol
- Run Command Prompt as AdministratorType ‘command’ in the Search box. Right Click on it, Select Run as administrator
- Take back up the registry keyEnter the command to take the backup of the registry key.
> reg export HKEY_CLASSES_ROOTms-msdt filename
- Delete the HKCR:ms-msdt registry keyIssue this command to delete the HKCR:ms-msdt registry.
> reg delete HKEY_CLASSES_ROOTms-msdt /f
- Revert the workaround by restoring the registry key from backupIf in case you want to revert the changes, then you just need to restore the registry key from the backup. Run this command to do this.
> reg import filename
This is how you can fix CVE-2022-30190- A Zero-Click RCE Vulnerability in MSDT.