Security Bulletin - CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

Published Date: 01/06/2022

Purpose

The purpose of this alert is to bring urgent attention to a remote code execution vulnerability present in Microsoft Support Diagnostic Tool (MSDT).

The vulnerability results in an attacker being able to abuse MSDT when it is called using the URL protocol from an application such as Word. A malicious actor who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. 

Details

On 30 May 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) vulnerability.

The impact of exploiting this vulnerability is remote code execution resulting in a malicious actor being able to run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

The Triskele Labs CTI team advises that the Proof-of-Concept (POC) code exploiting the vulnerability has been made available and there are indicators of this vulnerability being exploited in the wild as far back as mid-April 2022. The Australian Cyber Security Centre is also aware of active exploitation of the vulnerability targeting Australian Organisations.

This publicly available POC code has been integrated into common exploitation frameworks and tools, our Red Team has also been able to execute this vulnerability in our testing environment.

Mitigation Actions

There are several remediation or workaround recommendations from Microsoft the primary guidance being to disable the MSDT UTL Protocol as outlined below which has been sourced directly from the Microsoft Security Response Centre.

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.

Follow these steps to disable:

1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround:

1. Run Command Prompt as Administrator.
2. To restore the registry key, execute the command “reg import filename” 

Detection Capability

Managed Detection and Response are monitoring for suspicious activity within customer environments. The team have tested a number of detection strategies and along with our vendors have implemented these as they became available.

Deployed SIEM and EDR agents on servers and endpoints will aid in detecting a threat actor successfully accessing an environment and commencing reconnaissance.

References

References used for the generation of this release: 

• https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
• https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/
• https://isc.sans.edu/forums/diary/New+Microsoft+Office+Attack+Vector+via+msmsdt+Protocol+Scheme+CVE202230190/28694/
• https://www.cyber.gov.au/acsc/view-all-content/alerts/exploitation-microsoft-office-vulnerability-follina 
• https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis?referrer=blog