Follina Vulnerability – CVE-2022-30190

by Josh Campbell on June 8, 2022

Threat Synopsis – Follina

Follina (CVE-2022-30190) or the remote code execution vulnerability discovered that will abuse the Microsoft Windows Support Diagnostic Tool (MSDT.exe) in order to exploit and execute remote code was observed in Late May of 2022. The vulnerability itself was first mentioned by a security research group named “Nao Sec” via Twitter on May 27th and acknowledged by Microsoft on May 31st. Since then it has been confirmed to have been spotted in the wild, being exploited by threat groups such as TA413 who are linked to the Chinese government, as well as initial attacks apparently observed targeting the Philippines, Nepal and India earlier in the year. The Microsoft Windows Support Diagnostic Tool is typically utilized by the operating system as a troubleshooting wizard (collecting and sending system information back to Microsoft Support), and is native to all versions of Microsoft Windows. It is also worth noting that the vulnerability also has been proven exploitable in versions of Microsoft Office: 2013, 2016, 2019, 2021, Office ProPlus and Office 365.

The severity of Follina has been scored at 7.8 by the CVSS rating system, and has been observed to be delivered via malicious Microsoft Word “.doc” files. Exploitation of this vulnerability has been observed to take advantage of Microsoft Word remote templates in order to retrieve an HTML file, which then uses the ms-msdt MSProtocol URI scheme to load the malicious code and execute PowerShell. Note that although observed cases thus far has exploited the use of Microsoft Word and Outlook, potentially any office product which handles oleObject relationships is exploitable by a threat actor. What stands out, is the code being executed via MSDT even with macros being disabled. Due to the existence of MSDT in Microsoft Windows systems and the ubiquity of Microsoft Office globally, as well as the ongoing threat of phishing e-mails leading to infection, the vulnerability is important to be ascertained and prepared for.

Threat Summary

The discovery of Follina (or CVE-2022-30190) in late May 2022 immediately became a hot topic, due to the potential threat of Remote Code Execution (RCE) via malicious Microsoft Office document, and thus the reach across people vulnerable – it is worth it to note that the attack happens locally and user input is necessary for execution, thus as the Fortinet analysis states, the “remote” aspect is referring to the location of the attacker. Follina allows RCE in environments by taking advantage of a vulnerability found in the Microsoft Support Diagnostic Tool (MSDT) which is native to Windows operating systems, and is delivered by malicious Microsoft Office documents loading HTML files from a remote location and executing malicious PowerShell commands.

The malicious document observed is able to abuse Microsoft Word’s remote template feature and pull the HTML file that contains embedded JavaScript code, which utilizes the ms-msdt schema to execute a PowerShell “Invoke-Expression” command. The command terminates the Microsoft Support Diagnostic Tool (msdt.exe) process and eventually after running through files contained in a .RAR file, executes the malicious rgb.exe executable. Researchers have noted that the file is still executable with macros disabled in Microsoft Word and potentially can be exploitable utilizing an .RTF file instead of the observed .DOC file in order to bypass protected view or “preview”.

As noted in MSRC’s (Microsoft Security Response Center) blog, the threat actor potentially can install malicious programs, access/modify/delete data, and create user accounts on a victim’s system. As of today there has not been an official patch release from Microsoft, but the MSRC’s blog covers potential mitigation measures that can be utilized until one is released.