7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.
Recent assessments:
bwatters-r7 at May 31, 2022 12:56pm UTC reported:
EDIT: This was a quick description, and while it is still accurate as far as I know, A Rapid7 Evaluation with greater analysis has been published here: <https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>
This is a relatively new vulnerability in the Microsoft Support Diagnostic Tool Vulnerability, so it is likely more information will come out in the coming days.
Currently, as seen in the wild, this vulnerability is embedded in a word document and likely distributed with a *.rar file. When the Word document is opened, it reaches out and downloads an HTML file which has a JS section to implement the ms-msdt (Microsoft Support Diagnostic Tool Vulnerability) protocol which is then coerced into launching a command.
As reported by Jake Williams in a thread here: <https://twitter.com/MalwareJake/status/1531019243411623939>, the command opens the accomplanying *.rar
file and pulls a base64 encoded *.cab
file from it, then expands the *cab file and runs a file contained in the cab file called rgb.exe
THIS FILENAME IS LIKELY MUTABLE, SO I DO NOT RECCOMMEND POLICING FOR IT WITHOUT OTHER RULES.
Microsoft has already published mitigation techniques for this exploit: <https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>
Users are required to delete a single registry key called HKEY_CLASSES_ROOT\ms-msdt
though there is little discussion about the side effects of this operation. In his thread, Jake Williams has verified that the removal of this key prevents execution of the embedded payload.
Further reading:
<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>
Untested and unverified PoC: <https://github.com/chvancooten/follina.py/blob/main/follina.py>
<https://www.scythe.io/library/breaking-follina-msdt-vulnerability>
UPDATE: I adjusted the attacker value up in light of reports by Kevin Beaumont that if the attacker uses an RTF file as the host, then the exploit code will run just viewing the file in the preview pane with explorer.exe. (details here: <https://github.com/JMousqueton/PoC-CVE-2022-30190> and the above doublepulsar blog post)
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4
packetstormsecurity.com/files/167438/Microsoft-Office-Word-MSDTJS-Code-Execution.html
blog.underc0de.org/xworm-malware-explota-la-vulnerabilidad-de-follina-en-una-nueva-ola-de-ataques/
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%