CVE-2022-30190 MS RCE “Follina” Zero-Day Vulnerability

In this article:

A remote code execution (RCE) vulnerability was discovered in Microsoft Support Diagnostic Tool (MSDT).

What is MSDT

MSDT is a diagnostic tooling set from Microsoft – which invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.

The vulnerability

According to Microsoft, successfully exploiting the vulnerability can enable an attacker to download arbitrary remote code, and run it on a system with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

This exploit could be delivered by a range of methods, one method seen in the wild was by phishing.

Impact and mitigation

Microsoft says the flaw impacts all Windows versions still receiving security updates (Windows 7+ and Server 2008+).

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. 

Follow these steps to disable MSDT URL:

1.     Run Command Prompt as Administrator.

2.     To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“

3.     Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround:

1.     Run Command Prompt as Administrator.

2.     To restore the registry key, execute the command “reg import filename” 

Microsoft has yet to communicate if and when a permanent fix in the form of a patch will be available.

Any questions?

Feel free to contact us if you have any questions.

Speak to a human
Adrian Borlea

Adrian is Windows Security Researcher at Runecast and an IT enthusiast with over 10 years of experience. He has worked as a Network and Systems Administrator for various companies and sectors, involved in complex projects starting from infrastructure planning, implementation, troubleshooting and continuous improvement processes.

In the last few years, Adrian has been involved in cyber-security projects, working with multiple tools for vulnerability management, compliance, IDS/IPS, GDPR compliance and infrastructure monitoring against cyber-attacks.