Follina – CVE-2022-30190

Brief

On May 30th, 2022 Microsoft released guidance relating to a Zero-Day vulnerability which affects the Microsoft Support Diagnostic Tool (msdt) in Windows which allows a form of Remote Code Execution (RCE) via a remote Word template feature. The exploit has been dubbed ‘Follina’ due to references in the code to the location in Italy, and has been given a CVSS score of 7.8.

The maldoc loads a HTML page via Word’s external link, which then exploits the vulnerability in msdt to execute Powershell code on the target machine.

The vulnerability impacts all Windows versions currently supported by Microsoft.

Daisy will continue to monitor this, however an increase in exploitation is expected.

Work Around

The primary action should be to apply the workaround as detailed by Microsoft, instructions are below:

1. Run Command Prompt as Administrator
2. Backup the registry key: reg export HKEY_CLASSES_ROOT\ms-msdt <filename>
3. Delete the registry key: reg delete HKEY_CLASSES_ROOT\ms-msdt /f

Alternatives

If you are unable to apply the workaround then you can disable the Troubleshooting Wizards by GPO or in the user interface.

GPO method

HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics – EnableDiagnostics – 0

User Interface

Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics. Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”.

Additional Steps

1. Validate that your existing security software detects and blocks exploitation against Follina (CVE-2022-30190)
2. Block .rtf files on your mail gateway whilst also remembering to whitelist any historical email addresses that you deem as safe. Make sure to include .rtf files in zip or rar archives.
3. Disable the preview pane through Group Policy

Defender for Endpoint

For those customers using Defender for Endpoint, you can enable the attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes.

If you have an EDR solution you can monitor/block attempts made by winword.exe and excel.exe to launch the following processes:

• regsvr32.exe
• rundll32.exe
• msiexec.exe
• mshta.exe
• verclsid.exe
• msdt.exe

Education is key

Whilst this may seem like security 101, reiteration of these steps can only be advantageous.

1. Educate users to not disable protected view (or enforce through Group Policy)
2. Educate users to not open documents that they are not expecting, or are absolutely certain of (even from apparent safe senders)

Updates

Monitor Microsoft security response advisories relating to this vulnerability, as detailed on the following link: Microsoft Follina Advice

References

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability