Windows Vulnerability Follina (CVE-2022-30190): New findings, new risks (June 9, 2022)

Windows[German]The unpatched Windows vulnerability CVE-2022-30190 (Follina) which has been known since late May 2022, is slowly becoming a problem. The countermeasures described by Microsoft (and here in my blogs) do not seem sufficient. And the vulnerability is now also exploited by the QakBot malware in phishing attacks. Furthermore, I have received information from Cato about the vulnerability. Here is an updated overview of the state of affairs.


Advertising

Review of CVE-2022-30190

The Windows vulnerability CVE-2022-30190 (aka Follina), which has been public since late May 2022, allows to abuse the Microsoft Support Diagnostics Utility (msdt.exe) via the ms-msdt: protocol handler to download malicious Word documents from the web. The attacker can exploit the vulnerability to execute remote code with the privileges of the calling application.

I had addressed this issue on the blog in the posts Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190) and Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks.

Which versions are affected

Windows Server 2019 and Windows 10 version 1809 and later are affected, according to Microsoft, and all Office versions can be abused for such attacks. And it doesn't help if macro execution is disabled. There is even a way to use the PowerShell wget command to trigger the attack, so you don't have to rely on Office.

Various attack options

n the meantime, attacks using this vulnerability have been known to take place for up to six weeks (see Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks). Dave Greenfield from Cato Networks pointed me to their blog post Cato Protects Against Microsoft Office Follina Exploits, where they described three attack vectory:

  • Users can download a file or application that contains the payload and calls the Microsoft Support Diagnostics Utility (msdt.exe) locally.
  • Users can download a file or application that contains the payload and receives the MSDT call from the Internet (from the attacker's websites).
  • The user's browser receives the payload in response to an instruction from a malicious website and executes the MSDT.

As of today, there is no patch from Microsoft to close this vulnerability.


Advertising

Micro patch from ACROS Security

Only the developers of ACROS Security have released a micro patch to close this vulnerability in all Windows systems still supported by Microsoft. The micro-patch is available for free to all users until Microsoft releases security updates. I have described the details in the blog post 0Patch Micro patch against Follina vulnerability (CVE-2022-30190) in Windows.

What protects against Follina?

At this point, the question is how to protect against attacks via the vulnerability. Currently no patch from Microsoft is available yet.

Virus scanners detect it

Microsoft Defender now has a signature to find and eliminate such attacks via the MSDT vulnerability (see also the blog post Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190)). In addition, attacks via this vulnerability are now detected and blocked by other virus scanners as well as SIEMS solutions.

Cato IPS defends against Follina

Cato Networks has developed solutions for detection (Tactics, Techniques, and Procedures, TTP) and defense (see their blog post Cato Protects Against Microsoft Office Follina Exploits). All three of the above approaches are already blocked by Cato's Advanced Threat Prevention (ATP) capabilities. Cato's anti-malware checks and blocks the download of files or applications with the required payload to run Follina. Cato IPS (Intrusion Prevention System) detects and prevents any call over the network or Internet.

In the video above, security experts from Cato-Network demonstrate the attack over the Internet and also show how this attack is blocked by their own IPS solutions.

 (Source YouTube)

In the video above, security experts from Cato-Network demonstrate the attack over the Internet and also show how this attack is blocked by their own IPS solutions. 

Microsoft's solutions and GPOs are not enough

At this point, unfortunately, things get messy (with a discussion date of June 9, 2022). Microsoft published a support document Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability at the end of May 2022, which also provides guidance on mitigating the vulnerability. The document was updated as of June 6 and 7 in the FAQ section and excludes certain GPOs as a workaround.

Delete log handlers

While the support document recommends deleting the ms-msdt protocol handler by deleting the registry entry

HKEY_CLASSES_ROOT\ms-msdt

it doesn't mitigate the vulnerability. Because it's no guarantee that the ms-msdt protocol handler may not still be present in other places in the registry (user based). I point again to the two comments here and here in my German blog post that address this issue. 

Microsoft discards GPOs

In the comments (e.g. here) it is then recommended to use group policies (GPOs) to disable the Microsoft Support Diagnostics Utility (msdt.exe) after all. Unfortunately, this is a placebo, as Microsoft now explicitly writes within the FAQ section of their support document Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

Q: Is configuring the GPO setting Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\"Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" to "Disabled" another workaround?

A: No, this GPO does not provide protection against this vulnerability. "Interactive communication with support provider" is a special mode MSDT runs in when launched with no parameters which has no impact on MSDT support for URL protocol.

Q: Is configuring the GPO setting Computer Configuration – Administrative Templates – System – Troubleshooting and Diagnostics – Microsoft Support Diagnostic Tool\"Troubleshooting: Allow users to access recommended troubleshooting for known problems" to "Disabled" another workaround?

A: No, enabling or disabling this group policy has no effect on the vulnerable part of Troubleshooter functionality, so it is not a viable workaround.

What Microsoft doesn't address, is the method recommended by Benjamin Delphy. The group policy Troubleshooting: Allow users to access and run troubleshooting wizards under:

Computer Configuration\Policies\Administrative Templates\System\Problem Handling and Diagnostics\Script Diagnostics.

shall be deactivated. This should prevent the MSDT from being called. The policy affects HKLM in the branch:

SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics

and sets the DWORD value EnableDiagnostics to Disabled (0). I can't make a final judgement on whether this is sufficient – note the discussions below.

What blocks MSDT is …

However, Microsoft writes that blocking MSDT via features like Windows Defender Application Control (WDAC) prevents exploitation of the vulnerability. However, this feature is only available on Windows 10 Enterprise. Blocking via software restriction policy is also possible. 

Qakbot malware family uses Follina

Days ago, I mentioned within the blog post Follina (CVE-2022-30190): No major attack wave, but campaigns on EU/US and other targets that no major attack wave has been observed. Only state actors seem to use the vulnerability specifically for attacks on selected victims.

Qakbot uses Follina

However, that is about to change, as the above tweet suggests. A security researcher has come across a malware sample that uses the attack vector. The sample is from the Qakbot malware family, so its developers have adapted the vulnerability in the meantime. This tweet from Proofpoint also points in this direction. The colleagues from Bleeping Computer have collected some hints about it in this blog post.

Similar articles:
Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190)
Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks
0Patch Micro patch against Follina vulnerability (CVE-2022-30190) in Windows
Follina (CVE-2022-30190): No major attack wave, but campaigns on EU/US and other targets


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.