Context
Microsoft has shared mitigation measures, which are included below, to block attacks exploiting the flaw, designated CVE-2022-30190, while a patch is being developed. Microsoft‘s entry for CVE-2022-30190 indicates it affects MSDT on all versions of Windows and Windows Server and has detected exploitation in the wild.
The remote code execution vulnerability exists when Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
RH-ISAC members are encouraged to review the mitigation measures below for security posture and awareness.
Background
MSDT is short for Microsoft Support Diagnostics Tool, a utility that is used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve various technical problems.
The MSDT vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document that was uploaded to VirusTotal from an IP address in Belarus on the 25th of May 2022. The malicious document, or maldoc, leverages Word’s remote template feature to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload. The attacker, after execution of the payload, can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Mitigation Measures
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
To disable the MSDT URL Protocol
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
-
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg import filename“
Update – June 1:
Since initial disclosure, Chinese-linked threat actors are now actively utilizing CVE-2022-30190 to execute malicious code remotely on targeted Windows systems.
The TA413 APT group, a hacking outfit linked to Chinese state interests and known for targeting Tibetan targets in the past, has adopted this vulnerability in attacks against the international Tibetan community, according to new research from Proofpoint. Chinese actors have been observed utilizing CVE-2022-30190, now also known as Follina, to execute malicious code via the MSDT protocol when targets open or preview Word documents delivered in ZIP archives. The campaign impersonates the Women Empowerments Desk of the Central Tibetan Administration and utilizes the domain tibet-gov[.]web[.]app to target unsuspecting Tibetans into download the maldocs loaded inside the attached ZIP archive.
This development comes as Security researcher MalwareHunterTeam observed DOCX files with Chinese filenames being used to install malicious payloads detected as password-stealing trojans via hxxp://coolrat[.]xyz.
RH-ISAC members should be aware of the rising utilization of CVE-2022-30190 since initial conception and public discovery, especially as Microsoft continues to develop a working patch to mitigate the issue. Members are advised to apply the previously disclosed mitigation techniques in the above post.
