Executive Summary
CVE-2022-30190, also known as Follina, is a critical remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). This vulnerability is exploited when MSDT is called using the URL protocol from a calling application such as Microsoft Word. An attacker who successfully exploits this vulnerability can execute arbitrary code with the privileges of the calling application, potentially leading to severe consequences such as installing programs, viewing, changing, or deleting data, or creating new accounts with full user rights. This report provides a comprehensive analysis of CVE-2022-30190, including its details, exploitation in the wild, mitigation strategies, and references to relevant sources. It is crucial for organizations to address this vulnerability promptly to safeguard their systems and data.
Technical Information
CVE-2022-30190, commonly referred to as Follina, is a critical remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). This vulnerability is exploited when MSDT is called using the URL protocol from a calling application such as Microsoft Word. An attacker who successfully exploits this vulnerability can execute arbitrary code with the privileges of the calling application, potentially leading to severe consequences such as installing programs, viewing, changing, or deleting data, or creating new accounts with full user rights.
The vulnerability is identified by the following details: - CVE ID: CVE-2022-30190 - Severity: High - CVSS v3.1 Base Score: 7.8 (High) - Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - CWE: CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) - Affected Products: Various versions of Microsoft Windows, including Windows 7, Windows 10, and Windows 11.
The vulnerability is triggered when a specially crafted Microsoft Office document leverages the Word remote template feature to retrieve an HTML file from a remote web server. This HTML file then uses the "ms-msdt" URL protocol to execute malicious code on the victim's machine. The exploitation of CVE-2022-30190 aligns with several MITRE ATT&CK techniques, including T1203 (Exploitation for Client Execution), T1071.001 (Application Layer Protocol: Web Protocols), and T1105 (Ingress Tool Transfer).
Exploitation in the Wild
The Follina vulnerability has been actively exploited in the wild. Attackers typically use specially crafted Microsoft Office documents that leverage the Word remote template feature to retrieve an HTML file from a remote web server. This HTML file then uses the "ms-msdt" URL protocol to execute malicious code on the victim's machine.
Notable Exploits and Attacks
Various Advanced Persistent Threat (APT) groups have been observed exploiting this vulnerability. Specific groups include APT28 (Fancy Bear) and APT29 (Cozy Bear), known for their sophisticated cyber-espionage campaigns. These groups have targeted sectors such as government, defense, and critical infrastructure in countries including the United States, United Kingdom, and Germany.
APT Groups using this vulnerability
APT28 (Fancy Bear) and APT29 (Cozy Bear) are among the notable APT groups exploiting CVE-2022-30190. These groups are known for their sophisticated cyber-espionage campaigns and have targeted sectors such as government, defense, and critical infrastructure in countries including the United States, United Kingdom, and Germany.
Affected Product Versions
The following product versions are affected by CVE-2022-30190: - Microsoft Windows 10: - Version: 1507 (up to, but excluding 10.0.10240.19325) - Version: 1607 (up to, but excluding 10.0.14393.5192) - Version: 1809 (up to, but excluding 10.0.17763.3046) - Version: 20H2 (up to, but excluding 10.0.19042.1766) - Version: 21H1 (up to, but excluding 10.0.19043.1766) - Version: 21H2 (up to, but excluding 10.0.19044.1766) - Microsoft Windows 11: - ARM64 - x64 - Microsoft Windows 7: - SP1
Workaround and Mitigation
To mitigate the risks associated with CVE-2022-30190, organizations should implement the following strategies:
Apply Patches: Microsoft has released patches to address this vulnerability. Ensure all systems are updated with the latest security patches. More information can be found at the Microsoft Security Response Center Advisory.
Disable MSDT URL Protocol: As a temporary workaround, disable the MSDT URL protocol by modifying the registry. Open Command Prompt as Administrator and run the following command:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f.Network Segmentation: Isolate critical systems and limit their exposure to potential attack vectors.
Email and Web Filtering: Implement robust email and web filtering solutions to block malicious documents and URLs.
References
- NVD CVE-2022-30190 Detail
- Microsoft Security Response Center Advisory
- HackTheBox Blog: CVE-2022-30190 (Follina) Explained
- DarkRelay: Unpacking CVE-2022-30190
- LogRhythm: Detecting Follina (CVE-2022-30190)
- Packet Storm Security: Microsoft Office Word MSDTJS Code Execution
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
- GitHub: Follina Exploits and POCs
Rescana is here for you
At Rescana, we understand the critical importance of safeguarding your organization's digital assets. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities like CVE-2022-30190. By leveraging our advanced threat intelligence and real-time monitoring capabilities, we provide you with the tools and insights needed to stay ahead of emerging threats. For further assistance or inquiries, please contact Rescana's cybersecurity team at ops@rescana.com.
Comments