The “Follina” Vulnerability: Microsoft Support Diagnostic Tool Alert for Zero Day Exploit CVE-2022-30190

June 27, 2022 On May 30, 2022, Microsoft issued an alert regarding a vulnerability in its Microsoft Support Diagnostic Tool that can be exploited using Microsoft Office documents and results in the unauthorized installation of programs or access to data.The vulnerability evades common protections associated with Microsoft Office documents, requires minimal user interaction, and can be used by a remote attacker to execute arbitrary code, escalate privileges to fully take over a machine, or deploy additional malware.

By: Lewis Brisbois' Data Privacy & Cybersecurity Team

On May 30, 2022, Microsoft issued an alert regarding a vulnerability in its Microsoft Support Diagnostic Tool (MSDT) that can be exploited using Microsoft Office documents and results in the unauthorized installation of programs or access to data. It has been named by Microsoft as “Microsoft Windows Support Diagnostic Tool Remote Code Execution Vulnerability” and has been assigned the Common Vulnerabilities and Exposures (CVE) number CVE-2022-30190. It also has a Common Vulnerability Scoring System (CVSS) severity rating of 7.8 out of 10.

The vulnerability evades common protections associated with Microsoft Office documents, requires minimal user interaction, and can be used by a remote attacker to execute arbitrary code, escalate privileges to fully take over a machine, or deploy additional malware. One of the first sightings of the exploit in the wild occurred on May 27, 2022 and was contained in a Microsoft Word document from Belarus. The document called out to an external HTML file, which used the MSDT protocol to execute PowerShell code. The return payload was base64 encoded PowerShell code, a commonly used protocol in ransomware exploits.

How does it work? The attacker can create a Microsoft Office document with a link to an external malicious object linking and embedding (OLE) object such as an HTML file located on a remote server. The data used to describe the link are placed in the tag with attributes, and require the payload to be a certain size (4096 bytes) to work. This is because of the CHtmPre bug, which accepts a default read size of 4096 bytes – anything less and the payload will fail. The link in the target attribute points to the external object, inside of which a malicious script is written using a special URI scheme.

When opened, the document runs MSDT. Through a set of parameters, the attacker can pass any command to this tool for execution on the victim’s system with the privileges of the user who opened the document. The command can be passed even if the document is opened in Protected Mode and macros are disabled. The vulnerability has been exploited in at least two document formats: Microsoft Word (.docx) and Rich Text Format (.rtf). The .rtf can be more dangerous because it allows execution of malicious commands even without opening the document — it can be accomplished just by previewing it in Windows Explorer.

In sum, according to Microsoft and other sources, an attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Why is it named “Follina”? One of the first researchers to analyze the exploit named it “Follina” because the malicious file references 0438, the area code for the Italian village of Follina.

What are the potential threats? While current reports have drawn connections to state-sponsored groups exploiting the Follina vulnerability, there is high potential for criminal ransomware groups to operate in a similar fashion. Many ransomware groups utilize phishing emails as a method for gaining initial access into a victim’s environment and with the presence of this vulnerability, the odds of those attempts successfully compromising its target are high – especially because it may be used to deliver a variety of malware, including banking trojans and remote access trojans. In February 2022, Microsoft announced that it will disable Visual Basic for Applications (VBA) macros obtained from the internet by default, in an effort to curb the rate of malware infections associated with this delivery method. While this news was well-received by the security community, the Follina vulnerability creates another avenue for exploitation using email to deliver these malicious attachments.

What can be done to alleviate this? As a part of its cumulative update, Microsoft released a patch for Follina on Tuesday June 14, 2022, and urged users to install the patch immediately. Despite the application of Microsoft’s patch, this does not eliminate the presence of an active threat in a victim’s environment. If there is any suspicion of malicious activity stemming from this vulnerability, it is imperative to take caution and initiate your incident response plan by escalating to relevant internal and external resources, ensuring no further activity takes place.

What can we expect to see next? Although we have yet to see widespread exploitation of the Follina vulnerability, it is important to remain vigilant. Lewis Brisbois’ Data Privacy & Cybersecurity Team works diligently to communicate the latest insights observed from our work responding to network intrusions impacting organizations every day. We will continue to update this blog with the latest insights from our work in the field of incident response.

For more information on this development, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.