• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT
How to Fix CVE-2022-30190- A Zero-Click RCE Vulnerability in MSDT

Security researchers bell alarm on a zero-day remote code execution vulnerability in Microsoft products. The group also said that the flaw is found to be actively exploited in the wild. The flaw that is tracked as CVE-2022-30190 is a zero-click RCE vulnerability in MSDT that allows attackers to run arbitrary code to install programs, view, change, delete data, or even create new accounts on the victim machines. All these aspects have made this flaw more concerned. It is important for all Windows users to know about this zero-click RCE vulnerability in MSDT and fix it as soon as possible. Let’s see how to fix CVE-2022-30190, a zero-click RCE vulnerability in MSDT, in this post.

About Microsoft Support Diagnostic Tool (MSDT):

Microsoft Support Diagnostics Tool, also known as Microsoft Automated Troubleshooting Services or MATS, is a Microsoft Windows tool designed to automatically collect Microsoft product problem information and assist Microsoft in diagnosing and resolving problems. MSDT helps Microsoft engineers troubleshoot problems with Microsoft products by collecting information about software and hardware configuration, settings, and usage.

Summary Of CVE-2022-30190:

This is a zero-click RCE vulnerability in MSDT. The flaw exists in ‘MSDT URL protocol’. Attackers can exploit this flaw just by calling MSDT using the URL protocol from a Microsoft Office application such as Word. Successful exploitation of this flaw allows attackers to run arbitrary code with the privileges of the calling application. The attacker can further use this vulnerability to install programs, view, change, delete data, or even create new accounts on the Windows machines. Huntress has published a detailed technical analysis of this flaw in its blog. Please go through it if you are querulous to know about the technical details.

To tell how it was a catch, on May 27th, 2022, a security research team known as Nao_sec found an old word doc file uploaded to VirusTotal from a Belarus IP. Upon investigating the Word doc file, the team found that it was a maldoc that uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code. Here is the tweet from Nao_sec.

Two days later, a cybersecurity researcher, Kevin Beaumont, who dubbed the flaw “Follina,” confirmed that EDR tools failed to detect the maldoc in his tweet.

Associated CVE IDCVE-2022-30190
DescriptionA Zero-Click RCE Vulnerability in MSDT
Associated ZDI ID
CVSS Score7.8 High
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Local
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)Required
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Products Vulnerable To Follina, CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT:

Researchers Kevin Beaumont wrote in his Medium post that he successfully tested the flaw on a Windows 10 machine with fully disabled macros and enabled Defender. This clearly shows that this flaw is exploitable on all versions of Windows and Office 365 using .RTF files.

Kevin also wrote that the flaw was successfully tested on Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365 products. Please see the tweet from Rich Warren that shows a working flaw on Windows 11 with Office Pro Plus.

In support of that, there is a video clip shared by Didier Stevens that clarifies the flaw can be exploited on a patched version of Microsoft Office 2021.

PoC Created by Didier Stevens

How To Detect Your Windows Is Compromised To Follina Attack?

Well, it is not that difficult to determine if your machine is compromised by the Follina attack. If you see a child process of msdt.exe underneath the Microsoft Office process, then your machine could be compromised. Please refer to the technical analysis published by Huntress for more details.

How To Mitigate CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT?

Microsoft has acknowledged the vulnerability but has yet to release the package. Please track the status of the patches here.

Until there is a patch, you can apply these mitigation techniques to minimize the attack surface.

Block all Office applications from creating child processes on EDR/EndPoint tools. This prevents the creation of msdt.exe as a child process and blocks the exploitation. If your leadership team has concerns about implementing this block, then run the rule in Audit mode for a week or so. Once there is no impact seen, push the rule for production.

Prevent the malware execution by removing the file type associated with MS-MSDIT so that when the Word file opens, it will not be able to invoke MS-MSDIT. This can be done by editing the registry settings.Delete the HKCR:\ms-msdt registry as shone in the tweet.

How to Mitigate CVE-2022-30190 by disabling the MSDT URL Protocol

  1. Run Command Prompt as Administrator

    Type ‘command’ in the Search box. Right Click on it, Select Run as administrator

    Run Command Prompt as Administrator

  2. Take back up the registry key

    Enter the command to take the backup of the registry key.
    > reg export HKEY_CLASSES_ROOT\ms-msdt filename

    Take back up the registry key

  3. Delete the HKCR:\ms-msdt registry key

    Issue this command to delete the HKCR:\ms-msdt registry.
    > reg delete HKEY_CLASSES_ROOT\ms-msdt /f

    Delete the HKCR_ms-msdt registry key

  4. Revert the workaround by restoring the registry key from backup

    If in case you want to revert the changes, then you just need to restore the registry key from the backup. Run this command to do this.
    > reg import filename

    Revert the workaround by restoring the registry key from backup

This is how you can fix CVE-2022-30190- A Zero-Click RCE Vulnerability in MSDT.

We hope this post will help you know how to fix CVE-2022-30190,  a zero-click RCE vulnerability in MSDT. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

  1. You should probably note that these are NOT actual fixes, these are workarounds provided by Microsoft's Security Research Center. Also, please provide a source for the CVSS score, as one has not yet been provided by NVD. The 7.8 score is related to the CVE similar to this one, CVE-2021-40444, which allows a remote code execution from the MSHTML function, which is similar, but not the same as this CVE, which is based on the MSDT function. Please update your information to prevent any misinformation that may come from this. Thanks!

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.