Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  News  ›  2022  ›  Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability: "Follina"
June 06, 2022

Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability: "Follina"

Microsoft Support Diagnostic Tool (MSDT) Remote Code Execution Zero Day Vulnerability "Follina" (CVE-2022-30190)

UPDATE 6/15/22

Microsoft has released a patch for "Follina" in June's Patch Tuesday patches from Microsoft.

Brief Description

A remote code execution vulnerability dubbed "Follina" exists when the Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Active exploitation of this vulnerability is underway.

Platforms Affected

All currently supported versions of Windows and Windows Server

Windows 11 / 10 / 8.1 / 7 and Windows Server 2022 / 2019 / 2016 / 2012 R2 / 2012 / 2008 R2

Detailed Information

A remote code execution vulnerability exists when the Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Active exploitation of this vulnerability is underway. If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet with Protected View or Application Guard for Office, both of which prevent this vulnerability from being exploited. If Protected View is bypassed, disabled, or if a malicious document is opened using a non-Microsoft Office application, the exploit may execute. Additionally, if the preview pane in Windows Explorer is enabled and the malicious file is selected but not opened, the exploit will execute upon the preview being displayed in Explorer. This effectively creates a "zero click" scenario for exploitation.

Active Exploitation

This vulnerability has been exploited in the wild, primarily through phishing attacks

What you should do

All Users

Remain vigilant about phishing e-mails, report phishing e-mails to ISO.

Install the latest patches and reboot as soon as possible.  If for some reason, you are unable to patch, continue applying the following mitigations.

IT Staff or those who administer their own machines

Disabling the MSDT URL protocol prevents exploitation of this vulnerability and this mitigation should be applied as soon as possible. This mitigation prevents troubleshooters from being launched from links including links throughout the operating system (such as through the help documentation), meaning troubleshooters cannot be triggered using these methods once the mitigation is put in place. Troubleshooters can still be accessed using the Get Help application and in system settings or additional troubleshooters. Upon successful installation of the patch, the mitigation can be rolled back, re-enabling the troubleshooting functionality.

For Andrew AD connected machines, a Group Policy has been created that will automatically perform the registry modifications listed below. By linking “CMU.All.CVE-2022-30190.RegKey removal” this can be applied where needed. This Group Policy will only mitigate the vulnerability and will not revert the change after patching.

For machines requiring manual intervention, follow these steps to disable the MSDT URL protocol:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\ms-msdt filename"
  • Execute the command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f".

Once the affected system has been fully patched, the mitigation may be rolled back using the following steps:

  • Run Command Prompt as Administrator.
  • To restore the registry key, execute the command "reg import filename"

 

If you use Attack Surface Reduction rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent exploitation.

Microsoft Attack Surface Reduction Rules: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference

References

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day

https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference