Runecast Response | CVE-2022-30190 MS Vulnerability

A remote code execution (RCE) vulnerability was discovered in Microsoft Support Diagnostic Tool (MSDT).
‍

What is MSDT

MSDT is a diagnostic tooling set from Microsoft – which invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.

The vulnerability

According to Microsoft, successfully exploiting the vulnerability can enable an attacker to download arbitrary remote code, and run it on a system with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

This exploit could be delivered by a range of methods, one method seen in the wild was by phishing.

Impact and mitigation

Microsoft says the flaw impacts all Windows versions still receiving security updates (Windows 7+ and Server 2008+).

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. 

Follow these steps to disable MSDT URL:

1.     Run Command Prompt as Administrator.

2.     To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“

3.     Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround:

1.     Run Command Prompt as Administrator.

2.     To restore the registry key, execute the command “reg import filename” 

Microsoft has yet to communicate if and when a permanent fix in the form of a patch will be available.