NAVANEM
CVE-2022-30190⚡ exploited in the wild

Follina, Microsoft MSDT RCE via Office document

A remote code execution vulnerability exists when MSDT (Microsoft Support Diagnostic Tool) is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.

Overview

CVE-2022-30190, dubbed "Follina," is a critical remote code execution vulnerability in Microsoft Support Diagnostic Tool (MSDT). The vulnerability allows attackers to execute arbitrary code when MSDT is invoked via the ms-msdt:// URL protocol from applications like Microsoft Word. Notably, this attack requires no macros and no user interaction beyond opening or previewing a malicious document.

Technical Details

The attack chain works as follows:

  1. An attacker crafts a .docx file containing a remote template reference pointing to an attacker-controlled HTTP server
  2. The remote server responds with HTML containing an iframe with a specially crafted ms-msdt:// URI
  3. The URI includes parameters that abuse MSDT's diagnostic functionality: ms-msdt:/id PCWDiagnostic /skip force /param 'IT_RebrowseForFile=... IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(<malicious PowerShell>)...'
  4. Office applications automatically resolve the ms-msdt:// URI, launching MSDT, which then evaluates the embedded PowerShell payload

The vulnerability is particularly dangerous because it bypasses traditional security controls. No macros are required, no "Enable Editing" prompt appears, and simply previewing the document in Outlook or Windows Explorer is sufficient to trigger exploitation.

Impact

An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. This enables the attacker to:

  • Install programs
  • View, change, or delete data
  • Create new accounts within the context of the user's rights

Follina was heavily exploited in the wild for approximately six months. Multiple threat actors incorporated it into their arsenals, including ransomware groups and APTs such as Sandworm and TA413. The vulnerability was particularly impactful because it bypassed macro-disabled environments, which most organizations had implemented as a security control.

Mitigation

  1. Apply patches: Ensure all Windows hosts have the June 2022 Patch Tuesday updates or later installed
  2. Registry workaround: Delete or rename the HKEY_CLASSES_ROOT\ms-msdt registry key as defense-in-depth
  3. Enable ASR rules: Deploy Attack Surface Reduction rule D4F940AB-401B-4EFC-AADC-AD5F3C50688A ("Block all Office applications from creating child processes") via Microsoft Defender
  4. Audit legacy systems: Check for unpatched legacy systems that may have been missed

Detection

Search EDR telemetry for msdt.exe launched as a child process of:

  • winword.exe
  • outlook.exe
  • explorer.exe

Monitor for suspicious Office documents fetching remote templates and network connections to unknown external servers from Office applications.