NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Videos
    • Glossary
    • Infographics
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Mitigating the Follina Zero-Day Vulnerability (CVE 2022-30190) with Privilege Management for Windows

June 10, 2022

  • Blog
  • Archive
  1. Home
  2. Blog
  3. Mitigating the Follina Zero-Day Vulnerability (CVE 2022-30190) with Privilege Management for Windows

On May 27th 2022, a new zero-day remote code execution (RCE) vulnerability (CVE-2022-30190P) was discovered in the Microsoft Support Diagnostic Tool (MSDT). According to Microsoft, “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

The Follina vulnerability allows an attacker to execute arbitrary code using a malicious Word document. This vulnerability leverages the built-in MS URL handlers to trigger msdt.exe – this process can then be used to execute PowerShell commands.

The vulnerability was identified when nao_sec found an interesting Word document which appeared to execute PowerShell using the ms-msdt scheme. Security researcher Kevin Beaumont subsequently confirmed the vulnerability to be a new Windows zero day. He also named the vulnerability “Follina”, because a malicious file sample he examined that targeted the vulnerability references 0438, which is the area code for the Italian village of Follina.

Threat actors are actively working to exploit the vulnerability via targeted phishing campaigns, so organizations should prioritize mitigation strategies—such as those described in this blog—until a patch is available and can be successfully deployed.

What is MSDT?

MSDT (Microsoft Support Diagnostic Tool) is a diagnostic and troubleshooting tool built into the Windows operating system. From Microsoft’s documentation it “Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.”

What are URL Handlers?

When applications are installed on Windows, they can register a URL to launch their application with a custom link.

Windows has many default URL handlers for applications built into the operating system, including one for msdt.exe – ms-msdt:/.

How is CVE 2022-30190 being exploited?

The primary method currently observed for exploiting Follina is via phishing emails that contain malicious Office documents. For example, an attacker can craft a Word document that links to an external server. This server hosts a file that contains the ms-msdt:/ URL.

When the Word document is opened by an end user, the malicious payload launches msdt.exe with the parameters specified. Msdt.exe launches sdianhost.exe. Sdiagnhost.exe loads PowerShell dll’s to run PowerShell commands, without directly launching powershell.exe.

Figure 1 – Example Follina Attack Path

Watch this video clip to see how the Follina vulnerability executes

Follina vulnerability executing - unmitigated

How BeyondTrust Privilege Management for Windows can mitigate Follina

BeyondTrust Privilege Management for Windows pairs powerful least privilege management and application control capabilities to provide preventative endpoint security. Here’s how the solution can provided proactive protection against Follina, as well as many other types of cyber threats.

1. Removes admin rights and enforces true least privilege (just-enough access + just-in-time access): Most malware and attacks require privileges to execute or to gain lateral movement—exploits leveraging the Follina vulnerability are no different. An attacker’s code will only execute within the context of the targeted user, therefore a standard user with fewer privileges presents far less risk than a local admin user. This is just another salient reminder of the cyber-protection power conferred by implementing the principle of least privilege (PoLP).

2.Applies advanced application control: Application control can be used to mitigate the attacker’s ability to execute payloads or exploitable applications, such as msdt.exe. The advanced parent tracking capabilities offered by Privilege Management for Windows application control also allow for the control of out-of-hierarchy processes like sdiagnhost (shown in the diagram above) by linking them back to the real parent.

BeyondTrust customers with existing TAP policies can use this guide to mitigate Follina.

In our soon-to-be-released (July 2022) version 22.5 of Privilege Management for Windows, customers who import our Trusted Application Protection (TAP) policies will have default protect from Follina by default.

Watch this short clip to see how BeyondTrust mitigates CVE 2022-30190 (Follina)

Follina Vulnerability mitigated by the Trusted Application Protection capability of BeyondTrust's Privileged Management for Windows product

To learn more about the Microsoft vulnerabilities landscape, including research-backed tips on best practices for mitigation, and expert commentary, be sure to check out the latest edition of our annual Microsoft Vulnerabilities Report (2022).


Wes Parsons, Senior Application Security Engineer

Wes Parsons is a Senior Application Security Engineer at BeyondTrust. With over 8 years in application security, Wes uses his experience of both offensive and defensive cybersecurity to help build secure software.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From June 9, 2022:
Using Privileged Access Workstations (PAWs) to Protect the Cloud
From June 14, 2022:
BeyondTrust Expands Automation across the Cybersecurity Mesh with Latest Release of Password Safe and BeyondInsight

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Infographics
  • Podcast
  • Videos
  • Webinars
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.