{"id":90861,"date":"2022-06-03T18:51:20","date_gmt":"2022-06-03T13:21:20","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=90861"},"modified":"2023-10-17T15:27:37","modified_gmt":"2023-10-17T09:57:37","slug":"threat-advisory-cve-2022-30190-follina-severe-zero-day-vulnerability-discovered-in-msdt","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/threat-advisory-cve-2022-30190-follina-severe-zero-day-vulnerability-discovered-in-msdt\/","title":{"rendered":"Threat Advisory: CVE-2022-30190 \u2018Follina\u2019 \u2013 Severe Zero-day Vulnerability discovered in MSDT"},"content":{"rendered":"

A Zero-day Remote Code Execution Vulnerability with high severity has been identified as CVE-2022-30190<\/a> \u201cFOLLINA\u201d in Microsoft Windows Support Diagnostic Tool (MSDT).<\/p>\n

MSDT is a tool present on Windows version 7 and above and is used for diagnosis of problems in applications such as Ms Office Documents when any user reports problem to Microsoft support.<\/p>\n

Why is CVE-2022-30190 \u201cFollina\u201d vulnerability so dangerous?<\/strong><\/h4>\n

This diagnostic tool (MSDT) is usually called by applications such as MS Office Documents which allows remote code execution with the privileges of the calling process when called via MSDT URL Protocol. An attacker can exploit this vulnerability to run any arbitrary code.<\/p>\n

This vulnerability has been exploited in wild with the use of MS Office Documents distributed via email to execute malicious payloads (For ex: Turian Backdoor, Cobalt Strike etc.). Initially a doc sample named as VIP Invitation to Doha Expo 2023.docx (7c4ee39de1b67937a26c9bc1a7e5128b) used WebDAV to download CobaltStrike.<\/p>\n

Chinese APT group ‘TA413’ have exploited this Vulnerability in wild which download backdoor as payload via MSDT URL Protocol.<\/p>\n

Below figure shows the base64 encoded html file downloaded by DOC(SHA: <\/strong>000c10fef5a643bd96da7cf3155e6a38)<\/strong> from hxxp:\/\/212[.]138.130.8\/analysis [.]html<\/strong><\/p>\n

\"\"<\/p>\n

Following figure shows the decoded data:<\/strong><\/p>\n

\"\"<\/p>\n

When we decoded base64 encoded data it can be clearly seen that svchosts.exe which is the backdoor is downloaded via MSDT URL PROTOCOL<\/p>\n

Mitigation of \u201cFollina\u201d<\/strong><\/h4>\n

Disabling MSDT URL protocol:<\/p>\n

    \n
  1. Execute the following command as Administrator to back up the registry key \u2013<\/li>\n<\/ol>\n

    \u201creg export HKEY_CLASSES_ROOT\\ms-msdt filename\u201c<\/p>\n

      \n
    1. To delete the registry key, execute the command \u201creg delete HKEY_CLASSES_ROOT\\ms-msdt \/f\u201d.<\/li>\n<\/ol>\n

      For restoring the registry key execute the following command as Administrator \u2013 \u201creg import filename\u201d<\/p>\n

      How does Quick Heal protect its customers from CVE-2022-30190 – Follina?<\/strong><\/h4>\n

      Quick Heal protects its customers against this vulnerability in MSDT via following detections: –<\/p>\n

        \n
      • Backdoor.Turian.S28183972<\/li>\n
      • CVE-2022-30190.46635<\/li>\n
      • CVE-2022-30190.46634<\/li>\n
      • CVE-2022-30190.46624<\/li>\n
      • CVE-2022-30190.46623<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

        A Zero-day Remote Code Execution Vulnerability with high severity has been identified as CVE-2022-30190 \u201cFOLLINA\u201d in Microsoft Windows Support Diagnostic Tool (MSDT). MSDT is a tool present on Windows version 7 and above and is used for diagnosis of problems in applications such as Ms Office Documents when any user reports problem to Microsoft support. […]<\/p>\n","protected":false},"author":75,"featured_media":90867,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[75,1,1395],"tags":[1907,1908,1888,901,345,72,38],"class_list":["post-90861","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-windows","category-uncategorized","category-vulnerability","tag-follina","tag-secureitright","tag-zeroday","tag-cyberattack","tag-hackers","tag-microsoft","tag-vulnerability"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90861"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/75"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=90861"}],"version-history":[{"count":9,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90861\/revisions"}],"predecessor-version":[{"id":91390,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90861\/revisions\/91390"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/90867"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=90861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=90861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=90861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}