-mask

CVE-2022-30190, AKA Follina, Uses Macro-less Word Docs to Drop RCE Files 

Rated a 7.8 high CVSS 3.x severity base score, CVE-2022-30190 takes advantage of the MSDT (Microsoft Support Diagnostic Tool), an official tool built in all versions of Windows. 

Though officially issued on May 30, 2022,  CVE – 2022 – 30190 has been detected in the wild as early as April 2022, Microsoft ignored a warning from the Crazyman_Army research team that a zero-day RCE vulnerability had been detected in one of their products, and closed the vulnerability submission report than called VULN-065524, classifying it as “fixed”.  

 

Security researcher Nao_sec was credited for uncovering the vulnerability, which was reportedly discovered by nao_sec during a VirusTotal checking for files using CVE-2021-40444. CVE 2022-30190’s public disclosure took place on May 27, 2022, followed on May 30 by Microsoft’s publication of mitigation guidance.

Anyone can access that tool from the Start Menu by typing MSDT in the search bar, and the opening dialog window opens up, asking for a passkey. This is because this tool is built to be used exclusively by users in communication with a Microsoft support professional who provides the passkey and uses it to remotely run diagnostic tools.

The Microsoft support agent then calls the special URL protocol ms-msdt:// that enables the support agent to run the diagnostic tools on the user’s machine.  

These special URL protocols open the door to executing PowerShell code, enabling attackers to run malicious code on the targeted machine. 

Dubbed Follina, the CVE-2022-30190 vulnerability enables malicious actors to activate MSDT from a regular .docx or .rtf document even without enabled macros, and even when opened in a protected view. To make matters worse, it also works on .docs shared files.  

Once it passed this initial barrier to entry, attackers can turn uses the ms-msdt Microsoft Protocol URI scheme to load its code and execute its arbitrary PowerShell, granting them the power to install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. 

Word to the Unwise  

CVE-2022-30190 has been confirmed in Office 2013, 2016, 2019, 2021, Office Pro Plus, and Office 365. As exploits leveraging it can be activated simply through the target opening a word document, any Network user is now a potential victim until the workarounds published by Microsoft Security Response Center have been applied and, most importantly, fully validated. 

Microsoft guidance recommends disabling the MSDT URL protocol, effectively preventing attackers to take advantage of it for malicious purposes.
 

Verify Your Exposure to CVE-2022-30190 

A PoC for locally testing for Follina Office RCE vulnerability can be found on Github
 

Follina RCE Usage Script 

 

Which produces these results:
 

 

By the end of June 2, Cymulate users could already access a purple team scenario with an off-the-shelf, production-safe payload to validate their resilience to CVE-2022-30190. 

Since June 1, Cymulate already published a dedicated Immediate Threat Intelligence kit for Follina accessible to all Cymulate users.

 

Cymulate's Immediate threat CVE-2022-30190 kit
 

 

Cymulate users can already update their SIEM signature bank with multiple IoCs, and will soon have access to additional options to expand the breadth of purple team scenario validation. 

 

SIEM Follina Cymulate

 

Validate against this immediate threat, in your unique environment now.

Learn More