Home  /  CybersecurityMicrosoftNewsWindows Update  /  Threat Advisory: CVE-2022-30190 ‘Follina’ – Severe Zero-day Vulnerability discovered in MSDT
Threat Advisory: CVE-2022-30190 ‘Follina’ – Severe Zero-day Vulnerability discovered in MSDT

Threat Advisory: CVE-2022-30190 ‘Follina’ – Severe Zero-day Vulnerability discovered in MSDT

Written by Seqrite
Seqrite
Cybersecurity, Microsoft, News, Windows Update

A Zero-day Remote Code Execution Vulnerability with high severity has been identified as CVE-2022-30190 “FOLLINA” in Microsoft Windows Support Diagnostic Tool (MSDT).

MSDT is a tool present on Windows version 7 and above and is used for the diagnosis of problems in applications such as Ms. Office Documents when any user reports a problem to Microsoft support.

Why is CVE-2022-30190 “Follina” vulnerability so dangerous?

This diagnostic tool (MSDT) is usually called by applications such as Ms. Office Documents which allows remote code execution with the privileges of the calling process when called via MSDT URL Protocol. An attacker can exploit this vulnerability to run any arbitrary code.

This vulnerability has been exploited in wild with the use of Ms Office Documents distributed via email to execute malicious payloads (For ex: Turian Backdoor, Cobalt Strike, etc.). Initially, a doc sample named VIP Invitation to Doha Expo 2023.docx (7c4ee39de1b67937a26c9bc1a7e5128b) used Webdav to download CobaltStrike.

Chinese APT group ‘TA413’ have exploited this Vulnerability in the wild which downloads a backdoor as a payload via MSDT URL Protocol.

Below figure shows the base64 encoded html file downloaded by DOC(SHA: 000c10fef5a643bd96da7cf3155e6a38) from hxxp://212[.]138.130.8/analysis [.]html

base64 encoded html file

Following figure shows the decoded data:

When we decoded base64 encoded data it can be clearly seen that svchosts.exe which is the backdoor is downloaded via MSDT URL PROTOCOL

Mitigation of “Follina”

 Disabling MSDT URL protocol:

  1. Execute the following command as Administrator to back up the registry key –

“reg export HKEY_CLASSES_ROOT\ms-msdt filename“

  1. To delete the registry key, execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

For restoring the registry key execute the following command as Administrator – “reg import filename”

How does Seqrite protect its customers from CVE-2022-30190 – Follina?

Seqrite protects its customers against this vulnerability in MSDT via following detections: –

  • Backdoor.Turian.S28183972
  • CVE-2022-30190.46635
  • CVE-2022-30190.46634
  • CVE-2022-30190.46624
  • CVE-2022-30190.46623

Seqrite

About Seqrite

Follow us for the latest updates and insights related to security for enterprise networks. Subscribe to our newsletter to stay...

Articles by Seqrite »

Related Posts