Microsoft recently published an advisory on a newly identified zero-day vulnerability that affects Microsoft Support Diagnostic Tool (MSDT). CVE-2022-30190, which is being exploited in the wild, has been dubbed Follina by industry researcher Kevin Beaumont.
What is Follina?
Follina (CVE-2022-30190) is a zero-day vulnerability affecting MSDT (Microsoft Windows Support Diagnostic Tool). After Microsoft made Office applications block macros in files from the internet by default, threat actors have used novel techniques to weaponize Office documents.
MSDT is an application that automatically collects diagnostic information and sends it to Microsoft when Windows experiences an issue. When MSDT is called using the URL protocol from an application, such as Word, a remote code execution (RCE) vulnerability exists, enabling threat actors who successfully exploit the vulnerability to run arbitrary code with the privileges of the calling application. This allows the threat actor to install programs, view and change data, delete data, or create new accounts. Although the attack is carried out locally, the threat actor can interact remotely.
According to Proofpoint, the Chinese threat actor group TA413 has been observed exploiting CVE-2022-30190. The group is using URLs to deliver Zip archives containing Word Documents that use the technique described above. Security researcher Cas van Cooten has made a proof of concept (POC) using the technique available on Github.
In their advisory, Microsoft offered a temporary workaround for the vulnerability.
According to Microsoft, disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links throughout the operating system. This can be done using the following steps:
- Run Command Prompt as Administrator.
- Execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“ to backup the registry key
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
PolySwarm has multiple samples of CVE-2022-30190 related exploits.
PolySwarm is monitoring for additional exploits leveraging the Follina vulnerability and will make them available in our portal.
You can use the following CLI command to search for all Follina samples available in our portal:
$ polyswarm link list -f Follina