Brief
On May 30th, 2022 Microsoft released guidance relating to a Zero-Day vulnerability which affects the Microsoft Support Diagnostic Tool (msdt) in Windows which allows a form of Remote Code Execution (RCE) via a remote Word template feature. The exploit has been dubbed ‘Follina’ due to references in the code to the location in Italy, and has been given a CVSS score of 7.8.
The maldoc loads a HTML page via Word’s external link, which then exploits the vulnerability in msdt to execute Powershell code on the target machine.
The vulnerability impacts all Windows versions currently supported by Microsoft.
Daisy will continue to monitor this, however an increase in exploitation is expected.
Work Around
The primary action should be to apply the workaround as detailed by Microsoft, instructions are below:
- Run Command Prompt as Administrator
- Backup the registry key: reg export HKEY_CLASSES_ROOT\ms-msdt <filename>
- Delete the registry key: reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Alternatives
If you are unable to apply the workaround then you can disable the Troubleshooting Wizards by GPO or in the user interface.
GPO method
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics – EnableDiagnostics – 0
User Interface
Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics. Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”.
Additional Steps
- Validate that your existing security software detects and blocks exploitation against Follina (CVE-2022-30190)
- Block .rtf files on your mail gateway whilst also remembering to whitelist any historical email addresses that you deem as safe. Make sure to include .rtf files in zip or rar archives.
- Disable the preview pane through Group Policy
Defender for Endpoint
For those customers using Defender for Endpoint, you can enable the attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes.
If you have an EDR solution you can monitor/block attempts made by winword.exe and excel.exe to launch the following processes:
- regsvr32.exe
- rundll32.exe
- msiexec.exe
- mshta.exe
- verclsid.exe
- msdt.exe
Education is key
Whilst this may seem like security 101, reiteration of these steps can only be advantageous.
- Educate users to not disable protected view (or enforce through Group Policy)
- Educate users to not open documents that they are not expecting, or are absolutely certain of (even from apparent safe senders)
Updates
Monitor Microsoft security response advisories relating to this vulnerability, as detailed on the following link: Microsoft Follina Advice
References
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190