Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks

Windows[German]Since the weekend, a new Windows vulnerability CVE-2022-30190 in combination with Microsoft Office has been knows under the name Follina. In the meantime, the US CISA and also the BSI have warned about this vulnerability – while security researchers have observed the first attacks via this 0-day vulnerability by Chinese APTs. Meanwhile, it is also clear that this attack works without Microsoft Office. The CVE-2022-30190 vulnerabilities could become the next big thing in security if anti-virus solutions also detect infected documents. Here's an overview of the latest findings.


Advertising

Vulnerability CVE-2022-30190

Vulnerability CVE-2022-30190 allows the Microsoft Support Diagnostics Utility to be abused via the ms-msdt: protocol to download malicious Word documents (or Excel spreadsheets) from the Web. I had mentioned this issue in the blog post Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190). The following tweet shows an overview of which Office versions are allegedly vulnerable and which are not – where the statements (e.g. about Office 2021) contradict the statements of security researcher Kevin Beaumont, which I quote in my article above. I assume that in case of doubt all Office versions are vulnerable.

Follina

Microsoft has since released a support document Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability for CVE-2022-30190. There is also some discussion there with regard to mitigating the vulnerability. In addition, Microsoft Defender build 1.367.719.0 or later detects such attacks via its signature files.

The vulnerability is being exploited

Microsoft has warned in an emailed security advisory about CVE-2022-30190 and wrote, hat the vulnerability is already being exploited. Arstechnica points out in this article that this vulnerability has been exploited for seven weeks, as discovered by Shadow Chaser security researcher.

 CVE-2022-30190 exploited by Chinese APT


Advertising

Security researcher Kevin Beaumont points out in the above tweet a report from Proofpoint that Chinese APTs are already actively exploiting the CVE-2022-30190 vulnerability. The attackers are impersonating the Central Tibetan Administration's "Women Empowerments Desk" in attack campaigns and using the domain tibet-gov.web[.]app. URLs are used to attempt to download a Word document packed into a ZIP archive. The document exploits the Folloinia vulnerability. Beaumont has since amended his post Follina — a Microsoft Office code execution vulnerability dated May 29, 2022 accordingly.

Security researcher Will Dormann has once again analyzed the exploitation of the vulnerability in a series of tweets and writes that the pattern is similar to the MSHTML vulnerability CVE-2021-40444 discovered months ago. In the following tweet, he states that a redirect to an exploit can be forced using wget via PowerShell – no Office is required.

wget & Powershell to abouse CVE-2021-40444

US-CERT warns

US-CERT, a U.S. security agency warns about the vulnerability according to the following tweet linking to this document and recommends administrators to refer to the Microsoft support document Guidance Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.

US-CERT CVE-2022-30190

According to the Common Vulnerability Scoring System (CVSS), the severity of the vulnerabilities is rated at 7.8 (CVSSv3.1). Frank Carius also points to this German post from nospamproxy.de via Twitter, which explains how to protect yourself from Follina via the Nospam proxy.

Addendum: A YouTube video with a demo of the PoC may be found here.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Office, Security, Windows and tagged , , . Bookmark the permalink.

2 Responses to Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks

  1. Felix says:

    Gibt es irgendwo ein Testdatei womit man seine Infrastruktur überprüfen kann ob AV xy das abfängt?

    • guenni says:

      Wrong language – it's an English blog here – your German question would fit better in my German blog.

      The answer to your question: I'm not aware of a public "test file" for that purpose. Security researchers share some exploits. But: That doesn't help at all, if an attacker mange it somehow, to bypass the AV trigger.

Leave a Reply

Your email address will not be published. Required fields are marked *