CVE-2022-30190

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

Recent assessments:

bwatters-r7 at May 31, 2022 12:56pm UTC reported:

EDIT: This was a quick description, and while it is still accurate as far as I know, A Rapid7 Evaluation with greater analysis has been published here: <https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis&gt;

This is a relatively new vulnerability in the Microsoft Support Diagnostic Tool Vulnerability, so it is likely more information will come out in the coming days.
Currently, as seen in the wild, this vulnerability is embedded in a word document and likely distributed with a *.rar file. When the Word document is opened, it reaches out and downloads an HTML file which has a JS section to implement the ms-msdt (Microsoft Support Diagnostic Tool Vulnerability) protocol which is then coerced into launching a command.
As reported by Jake Williams in a thread here: <https://twitter.com/MalwareJake/status/1531019243411623939&gt;, the command opens the accomplanying *.rar file and pulls a base64 encoded *.cab file from it, then expands the *cab file and runs a file contained in the cab file called rgb.exe THIS FILENAME IS LIKELY MUTABLE, SO I DO NOT RECCOMMEND POLICING FOR IT WITHOUT OTHER RULES.
Microsoft has already published mitigation techniques for this exploit: <https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/&gt;
Users are required to delete a single registry key called HKEY_CLASSES_ROOT\ms-msdt though there is little discussion about the side effects of this operation. In his thread, Jake Williams has verified that the removal of this key prevents execution of the embedded payload.
Further reading:
<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e&gt;
Untested and unverified PoC: <https://github.com/chvancooten/follina.py/blob/main/follina.py&gt;
<https://www.scythe.io/library/breaking-follina-msdt-vulnerability&gt;

UPDATE: I adjusted the attacker value up in light of reports by Kevin Beaumont that if the attacker uses an RTF file as the host, then the exploit code will run just viewing the file in the preview pane with explorer.exe. (details here: <https://github.com/JMousqueton/PoC-CVE-2022-30190&gt; and the above doublepulsar blog post)

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4