Zero-day Vulnerability Affecting the Microsoft Windows Support Diagnostic Tool (MSDT)

This blog was originally published by CrowdStrike here.

Written by Dan Fernandez - Liviu Arsene, Endpoint & Cloud Security.

• On May 27, 2022, a remote code execution vulnerability was reported affecting the Microsoft Windows Support Diagnostic Tool (MSDT)
• The vulnerability, which is classified as a zero-day, can be invoked via weaponized Office documents, Rich Text Format (RTF) files, XML files and HTML files
• At time of writing, there is no patch available from the vendor

A new zero-day remote code execution vulnerability (CVE-2022-30190) was reported by security researchers on May 27, 2022. The flaw, dubbed Follina, affects the Microsoft Windows Support Diagnostic Tool (MSDT). Successful exploitation of the vulnerability abuses native trust granted to the Microsoft Windows Diagnostics Tool (msdt.exe) allowing it to download and execute remote code. At time of writing, research indicates that exploiting file-based versions of the vulnerability requires user interaction, by opening a tained Microsoft Office, RTF, XML or HTML file.

Proof-of-concept payloads are publicly available and exploitation of this vulnerability is of low complexity.

A Primer on How the Vulnerability Works

The initial proofs of concept (POCs) leverage a Microsoft Office remote template feature to retrieve a weaponized HTML file from a remote server. Once retrieved, the HTML file utilizes the ms-msdt MSProtocol URI to import shellcode and execute PowerShell commands.

This vulnerability bears similarities to CVE-2021-40444 as both manipulate how HTML or Javascript code is loaded through an external link. However, Follina is significantly less complex to leverage and contains fewer dependencies.

How to Protect your Organization from Follina

Organizations need to take a in-depth defense approach to protecting customers by employing machine learning (ML) and behavior-based IOAs using incoming telemetry to power detections and provide real-time threat mitigation.

Proactive threat-hunting combined with malware and exploit research are critical as well. Ideally, as soon as critical content is available, an organization will have the tools available to push updates in real time to all customers without having to upgrade or update the sensor.

Follina Phishing Attack Prevention Scenario

An attacker can send a maliciously crafted Microsoft Office or RTF document via email to invoke remote code execution when run. Organizations need prevention and detection capabilities that can immediately shut down attack attempts such as these.

Follina PowerShell (wget) Attack Prevention Scenario

As reported, an attacker can leverage non-document techniques — such as a wget request from PowerShell to an attacker controlled domain — to retrieve an HTML payload to further actions on objectives via remote code execution. It’s critical for all organizations to be able to automatically prevent and detect this attack scenario using behavior-based IOAs.

Shining a Light on Vulnerable Endpoints

Organizations looking to gain additional visibility into endpoints vulnerable to Follina (CVE-2022-30190) need always-on automated vulnerability management tool that allows them to research and analyze insights to track their exposure and remediation progress.