Threat Signal Report

Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild

description-logo Description

UPDATE June 14th, 2022: Updated patch status for CVE-2022-30190.

UPDATE May 31st, 2022: Updated the coverage section with protection by the FortiGuard Content DIsarm and Reconstruction (CDR) service.


FortiGuard Labs is aware that a 0-day vulnerability in Microsoft Support Diagnostic Tool is being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Assigned CVE-2022-30190, successful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.


Why is the Significant?

This is significant because the vulnerability is a 0-day vulnerability in Microsoft Support Diagnostic Tool that allows remote code execution and is being exploited in the wild.


What is CVE-2022-30190?

The vulnerability is a remote code execution vulnerability that was named "Follina" by a security researcher Kevin Beaumont. The name "Follina" was derived from the 0-day code referencing "0438", which is the area code of Follina, Italy. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application such as Word. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.


A malicious Word file that is widely discussed online abuses the remote template feature in Microsoft Word and retrieves a remote HTML file. The retrieved HTML file uses the "ms-msdt" MSProtocol URI scheme to load and execute the PowerShell payload. Note that ms-msdt refers to "Microsoft Support Diagnostic Tool", which a legitimate Microsoft tool collects and sends system information back to the Microsoft for problem diagnostic.


What is concerning is that the vulnerability reportedly can be exploited if even if macros, one of the most prevalent ways to deliver malware via Microsoft Office files, are disabled. Also, if the document file is changed to RTF form, even previewing the document in Windows Explorer can trigger the exploit.


How Widespread is this?

While the attack that leverages the vulnerability does not appear to be widespread, however more attacks are expected as Proof-of-Concept code is available and a patch has not yet been released.


Does the Vulnerability Have CVE Number?

CVE-2022-30190 has been assigned to the vulnerability.


Has Microsoft Released an Advisory?

Yes. See the Appendix for a link to">Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability".


Has Microsoft Released a Patch?

Microsoft released a patch for CVE-2022-30190 on June 14th as part of regular MS Tuesday.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against the known samples that are associated with CVE-2022-30190:


W32/Rozena.SA!TR

MSWord/Agent.2E52!tr.dldr
MSOffice/Agent.DIT!tr
HTML/CVE_2022_30190.A!tr
MSIL/Agent.2E52!exploit
W32/Agent.2E52!exploit
LNK/Agent.2E52!exploit
Data/Agent.2E52!exploit
MSWord/CVE20170199.A!exploit
Riskware/RemoteShell


Regarding IPS coverage, the following signature will detect the retrieval of remote HTML files that contain the MSDT command:

MS.Office.MSHTML.Remote.Code.Execution.


Known network IOCs for CVE-2022-30190 are blocked by the WebFiltering client.


FortiEDR will provide protection from exploitation of this vulnerability and subsequent post-exploitation activity. See the Appendix for a link to "Technical Tip: How FortiEDR protects against CVE-2022-30190 'Follina' Microsoft Office protocol vulnerability" for more information.


Th FortiGuard Content Disarm and Reconstruction (CDR) service can to detect the attack in real-time and prevent it by disarming the "oleobject" data from Microsoft Office files.


FortiGuard Labs is currently investigating for additional coverage against CVE-2022-30190. This Threat Signal will be updated when additional information becomes available.


Any Suggested Mitigation?

Microsoft released an official blog on CVE-2022-30190 that includes mitigation information. See the Appendix for a link to "Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability".


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.