Security researchers bell alarm on a zero-day remote code execution vulnerability in Microsoft products. The group also said that the flaw is found to be actively exploited in the wild. The flaw that is tracked as CVE-2022-30190 is a zero-click RCE vulnerability in MSDT that allows attackers to run arbitrary code to install programs, view, change, delete data, or even create new accounts on the victim machines. All these aspects have made this flaw more concerned. It is important for all Windows users to know about this zero-click RCE vulnerability in MSDT and fix it as soon as possible. Let’s see how to fix CVE-2022-30190, a zero-click RCE vulnerability in MSDT, in this post.
Table of Contents
About Microsoft Support Diagnostic Tool (MSDT):
Microsoft Support Diagnostics Tool, also known as Microsoft Automated Troubleshooting Services or MATS, is a Microsoft Windows tool designed to automatically collect Microsoft product problem information and assist Microsoft in diagnosing and resolving problems. MSDT helps Microsoft engineers troubleshoot problems with Microsoft products by collecting information about software and hardware configuration, settings, and usage.
Summary Of CVE-2022-30190:
This is a zero-click RCE vulnerability in MSDT. The flaw exists in ‘MSDT URL protocol’. Attackers can exploit this flaw just by calling MSDT using the URL protocol from a Microsoft Office application such as Word. Successful exploitation of this flaw allows attackers to run arbitrary code with the privileges of the calling application. The attacker can further use this vulnerability to install programs, view, change, delete data, or even create new accounts on the Windows machines. Huntress has published a detailed technical analysis of this flaw in its blog. Please go through it if you are querulous to know about the technical details.
To tell how it was a catch, on May 27th, 2022, a security research team known as Nao_sec found an old word doc file uploaded to VirusTotal from a Belarus IP. Upon investigating the Word doc file, the team found that it was a maldoc that uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code. Here is the tweet from Nao_sec.
Two days later, a cybersecurity researcher, Kevin Beaumont, who dubbed the flaw “Follina,” confirmed that EDR tools failed to detect the maldoc in his tweet.
| Associated CVE ID | CVE-2022-30190 |
| Description | A Zero-Click RCE Vulnerability in MSDT |
| Associated ZDI ID | – |
| CVSS Score | 7.8 High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | Required |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Products Vulnerable To Follina, CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT:
Researchers Kevin Beaumont wrote in his Medium post that he successfully tested the flaw on a Windows 10 machine with fully disabled macros and enabled Defender. This clearly shows that this flaw is exploitable on all versions of Windows and Office 365 using .RTF files.
Kevin also wrote that the flaw was successfully tested on Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365 products. Please see the tweet from Rich Warren that shows a working flaw on Windows 11 with Office Pro Plus.
In support of that, there is a video clip shared by Didier Stevens that clarifies the flaw can be exploited on a patched version of Microsoft Office 2021.
How To Detect Your Windows Is Compromised To Follina Attack?
Well, it is not that difficult to determine if your machine is compromised by the Follina attack. If you see a child process of msdt.exe underneath the Microsoft Office process, then your machine could be compromised. Please refer to the technical analysis published by Huntress for more details.
How To Mitigate CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT?
Microsoft has acknowledged the vulnerability but has yet to release the package. Please track the status of the patches here.
Until there is a patch, you can apply these mitigation techniques to minimize the attack surface.
Block all Office applications from creating child processes on EDR/EndPoint tools. This prevents the creation of msdt.exe as a child process and blocks the exploitation. If your leadership team has concerns about implementing this block, then run the rule in Audit mode for a week or so. Once there is no impact seen, push the rule for production.
Prevent the malware execution by removing the file type associated with MS-MSDIT so that when the Word file opens, it will not be able to invoke MS-MSDIT. This can be done by editing the registry settings.Delete the HKCR:\ms-msdt registry as shone in the tweet.
How to Mitigate CVE-2022-30190 by disabling the MSDT URL Protocol
- Run Command Prompt as Administrator
Type ‘command’ in the Search box. Right Click on it, Select Run as administrator
- Take back up the registry key
Enter the command to take the backup of the registry key.
> reg export HKEY_CLASSES_ROOT\ms-msdt filename
- Delete the HKCR:\ms-msdt registry key
Issue this command to delete the HKCR:\ms-msdt registry.
> reg delete HKEY_CLASSES_ROOT\ms-msdt /f
- Revert the workaround by restoring the registry key from backup
If in case you want to revert the changes, then you just need to restore the registry key from the backup. Run this command to do this.
> reg import filename
This is how you can fix CVE-2022-30190- A Zero-Click RCE Vulnerability in MSDT.
We hope this post would help you know how to fix CVE-2022-30190, a zero-click RCE vulnerability in MSDT. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You should probably note that these are NOT actual fixes, these are workarounds provided by Microsoft's Security Research Center. Also, please provide a source for the CVSS score, as one has not yet been provided by NVD. The 7.8 score is related to the CVE similar to this one, CVE-2021-40444, which allows a remote code execution from the MSHTML function, which is similar, but not the same as this CVE, which is based on the MSDT function. Please update your information to prevent any misinformation that may come from this. Thanks!
Thanks for this correction!
I would agree that there is no patch officially released yet. These are just workarounds. This is what was written in the post.
I found the CVSS number CVSS:3.1 7.8 / 7.3 from Microsoft: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190