0-Day

What are we talking about?

On May 30 CVE 2022-30190, https://nvd.nist.gov/vuln/detail/CVE-2022-30190, was issued by Microsoft. According to the Common Vulnerability Scoring System this is currently ranked as a high-severity vulnerability with a 7.8 out of 10. A MS-Word document can be crafted to retrieve an HTML file from a remote webserver by abusing the remote template feature. The retrieved HTML file can then execute things like PowerShell on the affected host. Please note, this is a protocol vulnerability and not an application vulnerability; which means that it can be executed via multiple vectors and not just through MS-Word.

Why does this matter?

Unpatched vulnerabilities that can execute code with minimal user interaction can give a potential attacker a foothold. If the exploit was able to install itself remotely then the attacker may be able to exfiltrate data from your environment.

What should you be doing?

Install the patch immediately if you can.

For those organizations that store, process or transmit cardholder data, PCI DSS 4.0 control 6.3.3 requires that “Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.”

If you cannot install the patch check the GPO workaround:

GUI:

Execute the group policy editor and navigate to: 

Computer Configuration/Administrative Templates/System/Troubleshooting and Diagnostics/Scripted Diagnostics

Troubleshooting: Allow users to access and run Troubleshooting Wizards -> disabled

Registry Hack:

For the Troubleshooting Wizards

reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics” /t REG_DWORD /v EnableDiagnostics /d 0

For the entire Microsoft Support Diagnostic Tool URL Protocol

reg delete HKEY_CLASSES_ROOT\ms-msdt /f

MOST IMPORTANTLY, after you apply the patch or either workaround, verify that you cannot exploit the vulnerability. Here are some resources that can assist with that:

Proof-of-concept (PoC) code

https://github.com/chvancooten/follina.py

https://github.com/mr-r3b00t/msdt_pwn

Enable the correct scanner plugins for detection, in Nessus:

https://www.tenable.com/plugins/nessus/161691

Lastly, everything above was compiled and abbreviated from a list of great researchers. Please view their original content here.

References:

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

https://www.darkreading.com/endpoint/attackers-actively-exploiting-new-microsoft-zero-day

https://www.pwndefend.com/2022/05/30/office-microsoft-support-diagnostic-tool-msdt-vulnerability-follina/

https://github.com/chvancooten/follina.py

https://twitter.com/gentilkiwi/status/1531384447219781634

https://securityaffairs.co/wordpress/131824/security/microsoft-workarounds-microsoft-office-0day.html