{"id":19228,"date":"2022-06-01T18:40:04","date_gmt":"2022-06-02T02:40:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/06\/01\/news-12961\/"},"modified":"2022-06-01T18:40:04","modified_gmt":"2022-06-02T02:40:04","slug":"news-12961","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/06\/01\/news-12961\/","title":{"rendered":"CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability \u201cFollina\u201d"},"content":{"rendered":"
\n
\n
<\/div>\n<\/p><\/div>\n
\n

At the end of last week, @nao_sec, an independent cyber security research team, tweeted about a malicious Microsoft Word document submitted from Belarus that leverages remote templates to execute a PowerShell payload using the "ms-msdt" MSProtocol URI scheme. Additional developments over the weekend identified the issue as a new unpatched vulnerability in Windows. A successful attack results in a remote, unauthenticated attacker taking control of an affected system. A publicly available Proof-of-Concept soon followed.<\/p>\n

This issue is referred to as \u201cFollina\u2019 and has a CVE assignment of CVE-2022-30190.<\/p>\n

The name of the vulnerability is credited to security researcher Kevin Beaumont. "Follina" was derived from his analysis of the 0-day that contained code referencing "0438", which is the area code of Follina, Italy. Most of the time, it\u2019s a bad sign when a vulnerability is crowned with a unique name (having a mind-shaking logo is usually the last dagger \u2013 such as Heartbleed, Shellshock, and EternalBlue, but thankfully, this issue is not in the same league as those.<\/p>\n

As FortiGuard Labs is on high watch for the development of proof of concept code for CVE-2022-30190, this blog intends to raise awareness of this critical vulnerability and to urge administrators and various organizations to take quick corrective action until Microsoft releases a patch. <\/p>\n

Affected platforms:<\/b> Microsoft Windows
Impacted parties: <\/b>Microsoft Windows Users
Impact:<\/b> Full Control of Affected Machine
Severity level: <\/b>Critical <\/p>\n

Impact Assessment<\/h2>\n

The first question you probably would ask is how bad this vulnerability is. CVE-2022-30190 is rated as CVSS 7.8 (Critical), and there are a number of reasons for it.<\/p>\n

This vulnerability is in the Microsoft Support Diagnostic Tool (MSDT), a tool from Microsoft that collects and sends system information back to Microsoft Support for problem diagnostics, such as issues with device drivers, hardware, etc. This tool is in all versions of Windows, including Windows Server OS. Because of the lack of an available patch from Microsoft (as of June 1st,<\/sup> 2022), machines that are not protected by endpoint software or a mitigation strategy are vulnerable to Follina.<\/p>\n

As proof-of-concept code is publicly available, this code can be freely used by security researchers, administrators, and threat actors alike. As such, attacks that leverage CVE-2022-30190 are expected to increase over the next few days and weeks.<\/p>\n

Protected View<\/a>, a feature in Microsoft Office that opens Office documents in read-only mode with macros and other content disabled, can prevent this attack. However, reports from researchers have revealed that if a document is converted to Rich Text Format (RTF) format, simply previewing the document in Windows Explorer can trigger the exploit, bypassing Protected View. At the time of writing, Microsoft\u2019s latest advisory has not confirmed this nor whether this is another exploitation vector.<\/p>\n

On a side note, despite using \u201cremote\u201d in the vulnerability name, the attack happens locally, and user interaction is required for the attack to work. Microsoft\u2019s advisory calls out this point: \u201cThe word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.\u201d<\/p>\n

Additionally, the vulnerability has already experienced in-the-wild attacks. As shown in the timeline at the end of this blog (see Timeline), a series of initial attacks were reportedly observed in March 2022, targeting the Philippines, Nepal, and India. Additional files were submitted to VirusTotal from Russia and Belarus. Those attacks were most likely targeted attacks as the domains involved reveal little activity in our telemetry.<\/p>\n

Due to the severity of the vulnerability, the United States Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory<\/a> on May 31st,<\/sup> urging users and administrators to apply necessary workarounds as soon as possible.<\/p>\n

Exploit<\/h2>\n

The vulnerability that exists within msdt.exe is the Microsoft Support Diagnostic Tool. Normally, this tool is used to diagnose faults with the operating system and then report and provide system details back to Microsoft Support.<\/p>\n<\/p><\/div>\n