What is CVE-2022-30190?
CVE-2022-30190 also known as Follina, is a remote command execution vulnerability that impacts Microsoft’s legacy remote troubleshooting utility Microsoft Windows Support Diagnostic Tool (MSDT). MSDT is a legacy service in Windows that enables technical support analysts to remotely access troubleshooting data for diagnostic purposes. MSDT can be accessed through MSDT requests in the format ‘md-mdst:/’. Such requests can be embedded into Microsoft Word documents. Using this mechanic researchers determined that it was possible to embed a remote reference into a Word document that downloaded a malicious HTML file that when rendered, resulted in the victim system executing a PowerShell payload via a crafted ‘md-mdst:/’ request. Exploitation is fairly unsophisticated, but begins with a buffer overflow. When an excessively large request is submitted to the MSDT protocol endpoint it results in an unstable application state that leads to the execution of attacker-defined PowerShell at the same privilege level as the MSDT service.
The attack requires local access to exploit, which is facilitated through a malicious Word file delivered to the victim by a remote adversary. An attacker would need to leverage social engineering to successfully deliver the Word payload to the victim. Public exploits are mature and readily available in tools such as Metasploit.
How bad is this?
CVE | CVSSv3 Score |
CVE-2022-30190 | 7.8 |
Active exploitation today: Actively exploited in the wild prior to patch availability.
Severity: High
- Requires an attacker to leverage social engineering
- Exploited in the wild, low level of complexityWho is affected by this?
Who is affected by this?
- All Windows versions from 7 to Server 2022
How is it exploited?
Exploitation can be accomplished with a crafted Word document sent to the victim via email.
How do I protect myself?
Microsoft has released a cumulative security patch to address CVE-2022-30190. Apply this patch if possible.
If patching is not an immediate option, Microsoft recommends that the MSDT URL protocol be disabled.
To disable the MSDT URL Protocol:
- Type CMD in the Windows Search option and click on Run as Administrator.
- Run the following command to backup the registry key:
- reg export HKEY_CLASSES_ROOT\ms-msdt regbackupmsdt.reg
- Then execute the following command to disable MSDT URL protocol:
- reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Additional Resources:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
- https://support.microsoft.com/en-us/topic/june-14-2022-kb5014738-monthly-rollup-54e9b3f2-2353-4e73-acbb-5458f38e161e
- https://packetstormsecurity.com/files/167438/Microsoft-Office-Word-MSDTJS-Code-Execution.html
- https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug