Windows

Microsoft Support Diagnostic Tool Vulnerability Fix

Microsoft

On May 30, 2022, Microsoft released a statement about a zero-day remote code execution flaw, designated CVE-2022-30190. This flaw pertains to the Windows vulnerability in the Microsoft Support Diagnostic Tool (MSDT).

Furthermore, The Microsoft Security Response Center team has outlined this security flaw and its impact on specific Windows and Windows Server versions. Tracked as CVE-2022-30190, security researcher Kevin Beaumont first discovered and reported the vulnerability dubbed “Follina” to Microsoft on April 12. Here are some related guides: How to deploy a function app from Visual Studio to Azure Platform, and how to Install Packages to Amazon Virtual Machine using Terraform.

The flaw exploits an Office feature, retrieving an HTML file, then utilizing MSDT for executing PowerShell code. Beaumont and fellow researchers confirmed exploiting the vulnerability in Office 2021, 2019, 2016, and 2013. Microsoft Support Diagnostic Tool (MSDT) is a service in Windows 11/10/8 and 7 and also on Windows Server. The tool allows Microsoft support representatives to analyze diagnostic data and find a resolution to issues.

MSDT called via URL protocol from an app like Word creates remote code execution vulnerability. However, An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. Nonetheless, The attacker can install programs, view, change, delete data, or create new accounts within the user’s rights. You can learn more about this vulnerability by clicking on this link.

The system includes the tool, accessible by pressing Windows key + R and typing MSDT in the run dialogue window. Additionally, I’ll offer a guide for using the Microsoft Support Diagnostic Tool & System Diagnostic Report.

Workaround

I will be showing you how to resolve this issue via the Command Prompt, Registry Settings, and GPO.

Via the Command Prompt

Pending when the updates will be released, Microsoft has provided a workaround to fix the remote code execution vulnerability in MSDT. Below are the steps to mitigate this flaw.

First of all, run Command Prompt with Administrator privileges.

Vulnerability Fix

2: Run the following command to back up the registry key: “reg export HKEY_CLASSES_ROOT\ms-msdt filename

Note: The filename is the name you can give.
Microsoft

3: Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

Support

Microsoft Support Diagnostic: Undo this Workaround

If for some reason you wish to undo this workaround due to Microsoft providing a permanent fix such as a Windows update etc., the following steps below will help in undoing the changes applied.

Run Command Prompt as Administrator.
Diagnostic Tool

To restore the registry key, execute the command “reg import filename” 

Screenshot-2022-06-01-at-17.07.38

Alternative Workaround

Registry Settings to Disable MSDT URL Protocol

To fix this issue via the Registry Settings, you will need to create the DWORD value 32-bit named EnableDiagnostics and enter the value at 0.

HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics

Or use the command below

reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics” /t REG_DWORD /v EnableDiagnostics /d 0

Disable Diagnostic “Troubleshooting wizards” by GPO

This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel.

Computer Configuration/Policies/Administrative Templates/System/Troubleshooting and Diagnostics/Scripted Diagnostics
Capture1gpo68uh3

On the Troubleshooting: Allow users to access and run Troubleshooting Wizards policy, click on disabled

Capture2GPO56z-1
Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files.

Microsoft Support Diagnostic: Microsoft Defender Detections & Protections

Some customers sometimes use the built-in Microsoft Defender Antivirus or another Anti-virus solution. If you use the Microsoft Defender Antivirus, you should enable cloud-delivered protection and automatic sample submission.  Microsoft reiterated that Customers of Microsoft Defender for Endpoint can enable the attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy.

Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:

  • Trojan:Win32/Mesdetty.A  (blocks msdt command line)
  • Trojan:Win32/Mesdetty.B  (blocks msdt command line)
  • Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line).

Microsoft Defender for Endpoint provides customers with detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:

  • Suspicious behavior by an Office application
  • Suspicious behavior by Msdt.exe

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Daniel
Daniel
1 year ago

Thank you! Enabled on our system now 🙂

Chris
Chris
1 year ago

Very helpful. Will try it asap. Thanks

4
0
Would love your thoughts, please comment.x
()
x