Microsoft RCE “Follina” Zero-Day (CVE-2022-30190) Found In MSDT, Office

Note: Blumira’s security team is currently working to create an accurate detection rule to identify exploits of this vulnerability. We will update this post accordingly with new developments.

Update (6/1/22 @ 11:00 AM ET): Using Blumira’s new detection rule, customers who are sending Windows endpoint logs to Blumira can now detect instances of CVE-2022-30190 being exploited in their environment. The detection rule has been automatically rolled out to the Blumira platform.

What Happened

A remote code execution (RCE) vulnerability was discovered in Microsoft Support Diagnostic Tool (MSDT) — a utility used to troubleshoot and collect diagnostic data — and Microsoft Office. 

Dubbed “Follina,” the flaw was discovered when an independent research team called nao_sec found a malicious Word document that loads the HTML via Word’s external URL and uses ‘ms-msdt’ to execute PowerShell code.

Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt

— nao_sec (@nao_sec) May 27, 2022

According to Microsoft, successfully exploiting the vulnerability can enable an attacker to download arbitrary remote code, and run it on a system with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Testing is inconclusive on the latest version of Microsoft Office, including Insider and Preview versions. This may be patched or require additional testing to verify. At this time, it should be assumed that all versions of Microsoft Office are vulnerable.

How Bad is This?

This vulnerability has been scored as a 7.3, which indicates that the vulnerability is “High” severity, but does not reach the level of “Critical.” However, an RCE is one of the most dangerous types of flaws because it allows an adversary to execute malicious code on vulnerable servers. 

What Should I Do?

All organizations should be implementing email attachment and URL scanning, DNS filtering, and using a SIEM with detection capabilities to expose attacker behavior in an environment. Advanced anti-malware/EDR tools have also started to add detection rules into their products to detect successful use of this vulnerability. 

Using this vulnerability, attackers can leverage remote templates to load malicious code, which prevents Word from flagging the document as a threat. IT and security teams should take the opportunity to remind end users about the dangers of untrusted documents, and remote templates in general.

Unfortunately, disabling Microsoft Office macros does not fix the issue. You should still consider disabling Office macros as a general security practice.

However, according to Microsoft, you can disable the MSDT URL support protocol as a temporary fix:

1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

This fix was confirmed via Twitter by Jake Williams, Executive Director of Cyber Threat Intelligence at SCYTHE, but the impact of this workaround in a large production environment is unknown. Before implementing this fix, you should ensure you have a plan to undo the fix once a security patch is released and verified to fix the vulnerability.

The new #msdt 0-day can be mitigated by removing the protocol handler for ms-msdt (reg delete hkcr\ms-msdt /f).

Disclaimer: I haven’t checked for impacts in a large production environment, but seems better than being exploited. MSDT is just a diagnostic tool, so likely safe. https://t.co/g2aU72n89v pic.twitter.com/DroFUZfAok

— Jake Williams (@MalwareJake) May 29, 2022

How To Detect

SIEMs and EDR tools should be on the lookout for child processes with sdiagnhost.exe as the parent process. 

You can detect instances of the exploited vulnerability using Microsoft Defender: 

I’m getting this picked up by my Windows Defender now too. Word & RTF preview pane version. https://t.co/28YwAr5UGJ pic.twitter.com/hFCaXS0q2L

— Gab  (Steam: /id/inside | Ubi: Swift) (@pbcGABriel) May 31, 2022

If you are using Microsoft Defender’s Attack Surface Reduction, you can enable the rule “Block all Office applications from creating child processes.” However, consider using Audit mode at first to ensure that you don’t notice any side effects in your environment. 

You can also remove the file association for ms-msdt which can stop malware in infected documents from running. This can be done by deleting the file association from Windows Registry or using Kelvin Tegelaar’s Powershell script.

The current thought in the infosec community is that this action will not have any adverse effects on Windows systems, apart from being unable to use MS Office Troubleshooting Wizard, a rarely used feature. This may also break Microsoft Office licensing. If you apply this fix, you must reverse it once a patch becomes available. If you apply this fix, you may want to track which workstations received it, in the event that it needs to be reserved at a later date.

Update: Blumira customers can now detect instances of CVE-2022-30190 being exploited in their environment.

Sign Up For Your Free Account

Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help. 

Blumira’s free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.