NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
NopSec_Resource_JustInTime_Generic_1

Just in Time Bulletin: CVE-2022-30190 Microsoft Windows Support Diagnostic Tool RCE

May 23, 2022

What is CVE-2022-30190? 

CVE-2022-30190 also known as Follina, is a remote command execution vulnerability that impacts Microsoft’s legacy remote troubleshooting utility Microsoft Windows Support Diagnostic Tool (MSDT). MSDT is a legacy service in Windows that enables technical support analysts to remotely access troubleshooting data for diagnostic purposes. MSDT can be accessed through MSDT requests in the format ‘md-mdst:/’. Such requests can be embedded into Microsoft Word documents. Using this mechanic researchers determined that it was possible to embed a remote reference into a Word document that downloaded a malicious HTML file that when rendered, resulted in the victim system executing a PowerShell payload via a crafted ‘md-mdst:/’ request. Exploitation is fairly unsophisticated, but begins with a buffer overflow. When an excessively large request is submitted to the MSDT protocol endpoint it results in an unstable application state that leads to the execution of attacker-defined PowerShell at the same privilege level as the MSDT service.  

The attack requires local access to exploit, which is facilitated through a malicious Word file delivered to the victim by a remote adversary. An attacker would need to leverage social engineering to successfully deliver the Word payload to the victim. Public exploits are mature and readily available in tools such as Metasploit.

How bad is this?

CVE CVSSv3 Score
CVE-2022-30190 7.8

Active exploitation today: Actively exploited in the wild prior to patch availability.

Severity: High

  • Requires an attacker to leverage social engineering
  • Exploited in the wild, low level of complexityWho is affected by this?

Who is affected by this?

  • All Windows versions from 7 to Server 2022

How is it exploited?

Exploitation can be accomplished with a crafted Word document sent to the victim via email.

How do I protect myself?

Microsoft has released a cumulative security patch to address CVE-2022-30190. Apply this patch if possible.

If patching is not an immediate option, Microsoft recommends that the MSDT URL protocol be disabled.

To disable the MSDT URL Protocol:

  • Type CMD in the Windows Search option and click on Run as Administrator.
  • Run the following command to backup the registry key:
    • reg export HKEY_CLASSES_ROOT\ms-msdt regbackupmsdt.reg
  • Then execute the following command to disable MSDT URL protocol:
    • reg delete HKEY_CLASSES_ROOT\ms-msdt /f

Additional Resources: