Published Date: 6/3/2022 Source(s): Nao_Sec, Microsoft Security Response Center Sector: Security Vulnerability Reported by: Nao_sec, Microsoft Security Response Center, SentinelLabs Date(s) Issued: Subject CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
OVERVIEW
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word
SYSTEMS AFFECTED:
The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.
RISK:
Remote Code execution in Office Products
THREAT SUMMARY: Follina — a Microsoft Office code execution vulnerability
On May 27th 2022 Nao_sec identified this zero day vulnerability in Office products. This document used the Word remote template feature to retrieve an HTML file from a remote webserver, which then would use the ms-msdt MSProtocol to load and execute malicious PowerShell code. This vulnerability has been successfully tested in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.
CyFlare Actions Taken:
• Stellar Cyber – BDS: Stellar Cyber’s Machine Learning-IDS engine, as well as built-in threat intelligence is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community.
• SentinelOne: SentinelOne currently detects the execution of known “Follina” samples exploiting the CVE-2022-30190, they have also provided ‘Deep Visibility’ queries that the SOC will leverage to search for related indicators of compromise across customer’s SentinelOne environments.
• Rapid7: InsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability: Suspicious Process - Microsoft Office App Spawns MSDT.exe
Workarounds:
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
1. Run Command Prompt as Administrator. 2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“ 3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
1. Run Command Prompt as Administrator. 2. To restore the registry key, execute the command “reg import filename”
Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.