On May 27, a new zero-day critical vulnerability called Follina was discovered by the nao_sec security research team. The vulnerability resides in malicious word documents that abuse Microsoft Support Diagnostic Tool (ms-msdt) in order to execute commands.
Successful exploitation requires the attacker to craft a malicious Word document that contains a reference to a remote HTML file. The HTML file itself contains a script that spawns an ms-msdt process.
When a user opens the word file or opens the file in the preview pane, the malicious document will execute commands on the victim’s machine.
Is there a risk?
78% of businesses can potentially be compromised whenever a new RCE (Remote Code Execution) technique is found. The new emerging zero-day demonstrates why it is so important to harden and improve the security posture in your organization.
Given the widespread use of Microsoft Office products, the RCE vulnerability which allows attackers to execute code on the target systems could potentially cause significant harm to any organization.
Even though there is no patch by Microsoft, the impact may be high and grants attackers the ability to get initial access or move laterally in the organization’s environment.
Microsoft so far has released a workaround that disables MSDT URL protocol troubleshooter being launched.
There are lots of out-of-the-box public proof of concepts for this exploit which increase the severity of being attacked by this vulnerability.
What is CVE-2022–30190, and what products does it affect?
The CVE-2022–30190 vulnerability is contained in the Microsoft Windows Support Diagnostic Tool (MSDT), which doesn’t sound like a big deal. Unfortunately, due to the implementation of this tool, the vulnerability can be exploited via a malicious MS Office document.
MSDT is an application that is used to automatically collect diagnostic information and send it to Microsoft when something goes wrong with Windows. The tool can be called up from other applications (Microsoft Word is the most popular example) through the special MSDT URL protocol. If the vulnerability is successfully exploited, an attacker can run arbitrary code with the application's privileges that called up the MSDT — that is, in this case, with the rights of the user who opened the malicious file.
The CVE-2022–30190 vulnerability can be exploited in all operating systems of the Windows family, both desktop and server.
Who is affected?
Since we are still missing a patch, it’s hard to determine all the vulnerable versions. Currently, Microsoft Office 2013, 2016, 2019, and 2021 are vulnerable.
How attackers exploit CVE-2022–30190
As a demonstration of an attack, the researchers who discovered it describe the following scenario. Attackers create a malicious MS Office document and somehow get it to the victim. The most common way to do this is to send an e-mail with a malicious attachment, spiced up with some classic social engineering ploy to convince the recipient to open the file. Something like “Urgently check the contract, signing tomorrow morning” can do the trick.
The infected file contains a link to an HTML file that contains JavaScript code that executes malicious code in the command line via MSDT. As a result of successful exploitation, the attackers can install programs, view, modify or destroy data, as well as create new accounts — that is, do anything that’s possible armed with the victim’s privileges in the system.
How to stay safe?
- Identify all machines that are using a vulnerable Office version
- Unregister ms-msdt protocol via group policy
- Create a new registry GPP entry in the section User Configuration > Preferences > Windows Settings > Registry
- Use the **Registry Browser** to select a parameter or key
3. Expand the registry key in the GPO console. Open the parameter properties, and change the Action to **Delete**
4. Save the Changes
5. Unregister ms-msdt protocol — on specific machine
- Open Registry Editor
- Navigate to : Computer\HKEY_CLASSES_ROOT\ms-msdt
- Delete the registry key, this can also be done by running the following command:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Disable troubleshooting via the registry via GPO (this method can be done using group policy, on a similar way shared above)
- Open Registry Editor
- Navigate to : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics:EnableDiagnostics
- Set ScriptedDiagnostics value to 0
Disable preview pane via group policy
- Open Group Policy Editor
- Navigate towards: User Configuration > Administrative Templates > Windows Components > File Explorer > Explorer Frame Pane
- Open Turn off Preview Pane setting
- Select the Enabled Button
Workaround Impact
Unregistering MSDT protocol doesn’t mean troubleshooting isn’t possible. Organizations can still perform troubleshooting by using Get Help and system settings as additional troubleshooters.
