On May 27th 2022, a new zero-day remote code execution (RCE) vulnerability (CVE-2022-30190P) was discovered in the Microsoft Support Diagnostic Tool (MSDT). According to Microsoft, “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
The Follina vulnerability allows an attacker to execute arbitrary code using a malicious Word document. This vulnerability leverages the built-in MS URL handlers to trigger msdt.exe – this process can then be used to execute PowerShell commands.
The vulnerability was identified when nao_sec found an interesting Word document which appeared to execute PowerShell using the ms-msdt scheme. Security researcher Kevin Beaumont subsequently confirmed the vulnerability to be a new Windows zero day. He also named the vulnerability “Follina”, because a malicious file sample he examined that targeted the vulnerability references 0438, which is the area code for the Italian village of Follina.
Threat actors are actively working to exploit the vulnerability via targeted phishing campaigns, so organizations should prioritize mitigation strategies—such as those described in this blog—until a patch is available and can be successfully deployed.
What is MSDT?
MSDT (Microsoft Support Diagnostic Tool) is a diagnostic and troubleshooting tool built into the Windows operating system. From Microsoft’s documentation it “Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.”
What are URL Handlers?
When applications are installed on Windows, they can register a URL to launch their application with a custom link.
Windows has many default URL handlers for applications built into the operating system, including one for msdt.exe – ms-msdt:/.
How is CVE 2022-30190 being exploited?
The primary method currently observed for exploiting Follina is via phishing emails that contain malicious Office documents. For example, an attacker can craft a Word document that links to an external server. This server hosts a file that contains the ms-msdt:/ URL.
When the Word document is opened by an end user, the malicious payload launches msdt.exe with the parameters specified. Msdt.exe launches sdianhost.exe. Sdiagnhost.exe loads PowerShell dll’s to run PowerShell commands, without directly launching powershell.exe.
Watch this video clip to see how the Follina vulnerability executes
How BeyondTrust Privilege Management for Windows can mitigate Follina
BeyondTrust Privilege Management for Windows pairs powerful least privilege management and application control capabilities to provide preventative endpoint security. Here’s how the solution can provided proactive protection against Follina, as well as many other types of cyber threats.
1. Removes admin rights and enforces true least privilege (just-enough access + just-in-time access): Most malware and attacks require privileges to execute or to gain lateral movement—exploits leveraging the Follina vulnerability are no different. An attacker’s code will only execute within the context of the targeted user, therefore a standard user with fewer privileges presents far less risk than a local admin user. This is just another salient reminder of the cyber-protection power conferred by implementing the principle of least privilege (PoLP).
2.Applies advanced application control: Application control can be used to mitigate the attacker’s ability to execute payloads or exploitable applications, such as msdt.exe. The advanced parent tracking capabilities offered by Privilege Management for Windows application control also allow for the control of out-of-hierarchy processes like sdiagnhost (shown in the diagram above) by linking them back to the real parent.
BeyondTrust customers with existing TAP policies can use this guide to mitigate Follina.
In our soon-to-be-released (July 2022) version 22.5 of Privilege Management for Windows, customers who import our Trusted Application Protection (TAP) policies will have default protect from Follina by default.
Watch this short clip to see how BeyondTrust mitigates CVE 2022-30190 (Follina)
To learn more about the Microsoft vulnerabilities landscape, including research-backed tips on best practices for mitigation, and expert commentary, be sure to check out the latest edition of our annual Microsoft Vulnerabilities Report (2022).
Wes Parsons, Senior Application Security Engineer
Wes Parsons is a Senior Application Security Engineer at BeyondTrust. With over 8 years in application security, Wes uses his experience of both offensive and defensive cybersecurity to help build secure software.