Follina:Microsoft Support Diagnostic Tool RCE Vulnerability Under Active Exploitation

    Follow

    Overview:

    Microsoft has announced that a vulnerability which exists in MSDT (Microsoft Support Diagnostic Tool) could allow remote code execution vulnerability in all the Windows operating systems. This vulnerability is not specific to any windows OS but affects the protocol itself. So, attackers who makes the user download malicious word document or rtf document can achieve the remote code execution.

    Multiple proofs of concepts (POCs) have been published and we can expect active exploitation of this vulnerability through email-based delivery. The vulnerability is called “Follina”.

     

    CVE assigned:

    CVE-2022-30190

    Affected Software's:

    All the Windows Operating Systems.

    Solution:

    In-order to mitigate this vulnerability, we can take the backup of the registry and delete HKEY_CLASSES_ROOT\ms-msdt key.

    Mitigation using SanerNow,

    1. Download the CVE-2022-30190_MSDT_fix.zip which is attached.
    2. Login to SanerNow.
    3. Switch to the account/site-specific view.
    4. Use the EM tool to create an Action.
    5. Select the 'Software Deployment' feature.
    6. Click on Upload, which is in the upper right corner.
    7. Click on the ‘Compressed (ZIP/GZIP/TAR) Installer Packages’ and click on 'Open the file Browser', upload the ‘CVE-2022-30190_MSDT_fix.zip' file and Click on Close.
    8. Once the uploaded package is visible, click on the 'exclamation mark' as shown in the below diagram.Picture1.png
    9. Click on edit in the newly opened window and set the silent option as Extract location and give Run File name as “CVE-2022-30190.bat” click on 'Update Details' as shown in the below diagram.Picture2.png
    10. Select the uploaded package and click on install, which is in the upper right corner.
    11. Select 'Group' for which we need to apply the workaround and click 'next'.
    12. Enter the required details and click on 'Create Installation task’ as shown in the below diagram.Picture3.png

      Systems need not be rebooted for this change to take effect.

      On the next scheduled scan, vulnerabilities will not be reported.

      Once the patch becomes available if a customer plans to revert the registry change they can roll it back by following the instructions below:

    1. Download the CVE-2022-30190_MSDT_rollback.zip which is attached.
    2. Upload the file same as mitigation steps.
    3. Once the uploaded package is visible, click on the 'exclamation mark' as shown in the below diagram.Picture4.png
    4. Click on edit in the newly opened window and set the silent option as Extract location and give Run File name as “CVE-2022-30190_rollback.bat” click on 'Update Details' as shown in the below diagram.Picture5.png
    5. Select the uploaded package and click on install, which is in the upper right corner.
    6. Select 'Group' for which we need to apply the workaround and click 'next'
    7. Enter the required details and click on 'Create Installation task’ as shown in the below diagram.Picture6.png

            Systems need not be rebooted for this change to take effect.

            On the next scheduled scan, vulnerabilities will not be reported.

      References:

      https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support- diagnostic-tool-vulnerability/

    Was this article helpful?
    0 out of 0 found this helpful

    Comments