{"id":24714,"date":"2022-06-01T23:52:54","date_gmt":"2022-06-01T21:52:54","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=24714"},"modified":"2022-06-02T11:45:55","modified_gmt":"2022-06-02T09:45:55","slug":"follina-schwachstelle-cve-2022-30190-warnungen-erste-angriffe-der-status","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/06\/01\/follina-schwachstelle-cve-2022-30190-warnungen-erste-angriffe-der-status\/","title":{"rendered":"Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks"},"content":{"rendered":"

\"Windows\"[German<\/a>]Since the weekend, a new Windows vulnerability CVE-2022-30190 in combination with Microsoft Office has been knows under the name Follina. In the meantime, the US CISA and also the BSI have warned about this vulnerability – while security researchers have observed the first attacks via this 0-day vulnerability by Chinese APTs. Meanwhile, it is also clear that this attack works without Microsoft Office. The CVE-2022-30190 vulnerabilities could become the next big thing in security if anti-virus solutions also detect infected documents. Here's an overview of the latest findings.<\/p>\n

<\/p>\n

Vulnerability CVE-2022-30190<\/h2>\n

\"\"Vulnerability CVE-2022-30190 allows the Microsoft Support Diagnostics Utility to be abused via the ms-msdt:<\/em> protocol to download malicious Word documents (or Excel spreadsheets) from the Web. I had mentioned this issue in the blog post Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190)<\/a>. The following tweet shows an overview of which Office versions are allegedly vulnerable and which are not – where the statements (e.g. about Office 2021) contradict the statements of security researcher Kevin Beaumont, which I quote in my article above. I assume that in case of doubt all Office versions are vulnerable.<\/p>\n

\"Follina\"<\/a><\/p>\n

Microsoft has since released a support document Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability<\/a> for CVE-2022-30190. There is also some discussion there with regard to mitigating the vulnerability. In addition, Microsoft Defender build 1.367.719.0 or later detects such attacks via its signature files.<\/p>\n

The vulnerability is being exploited<\/h2>\n

Microsoft has warned in an emailed security advisory about CVE-2022-30190<\/a> and wrote, hat the vulnerability is already being exploited. Arstechnica points out in this article<\/a> that this vulnerability has been exploited for seven weeks, as discovered by Shadow Chaser security researcher.<\/p>\n

\"<\/a><\/p>\n

Security researcher Kevin Beaumont points out in the above tweet<\/a> a report from Proofpoint that Chinese APTs are already actively exploiting the CVE-2022-30190 vulnerability. The attackers are impersonating the Central Tibetan Administration's \"Women Empowerments Desk\" in attack campaigns and using the domain tibet-gov.web[.]app.<\/em> URLs are used to attempt to download a Word document packed into a ZIP archive. The document exploits the Folloinia vulnerability. Beaumont has since amended his post Follina \u2014 a Microsoft Office code execution vulnerability<\/a> dated May 29, 2022 accordingly.<\/p>\n

Security researcher Will Dormann has once again analyzed the exploitation of the vulnerability in a series of tweets<\/a> and writes that the pattern is similar to the MSHTML vulnerability CVE-2021-40444 discovered months ago. In the following tweet<\/a>, he states that a redirect to an exploit can be forced using wget via PowerShell – no Office is required.<\/p>\n

\"wget<\/a><\/p>\n

US-CERT warns<\/h2>\n

US-CERT, a U.S. security agency warns about the vulnerability according to the following tweet<\/a> linking to this document<\/a> and recommends administrators to refer to the Microsoft support document Guidance Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability<\/a>.<\/p>\n

\"US-CERT<\/a><\/p>\n

According to the Common Vulnerability Scoring System (CVSS), the severity of the vulnerabilities is rated at 7.8 (CVSSv3.1). Frank Carius also points to this German post<\/a> from nospamproxy.de via Twitter<\/a>, which explains how to protect yourself from Follina via the Nospam proxy.<\/p>\n

Addendum:<\/strong> A YouTube video with a demo of the PoC may be found here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Since the weekend, a new Windows vulnerability CVE-2022-30190 in combination with Microsoft Office has been knows under the name Follina. In the meantime, the US CISA and also the BSI have warned about this vulnerability – while security researchers have … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,580,2],"tags":[125,69,194],"class_list":["post-24714","post","type-post","status-publish","format-standard","hentry","category-office","category-security","category-windows","tag-office","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24714","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=24714"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24714\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=24714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=24714"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=24714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}