On May 30, 2022, Microsoft released a statement about a zero-day remote code execution flaw, designated CVE-2022-30190. This flaw pertains to the Windows vulnerability in the Microsoft Support Diagnostic Tool (MSDT).
Furthermore, The Microsoft Security Response Center team has outlined this security flaw and its impact on specific Windows and Windows Server versions. Tracked as CVE-2022-30190, security researcher Kevin Beaumont first discovered and reported the vulnerability dubbed “Follina” to Microsoft on April 12. Here are some related guides: How to deploy a function app from Visual Studio to Azure Platform, and how to Install Packages to Amazon Virtual Machine using Terraform.
The flaw exploits an Office feature, retrieving an HTML file, then utilizing MSDT for executing PowerShell code. Beaumont and fellow researchers confirmed exploiting the vulnerability in Office 2021, 2019, 2016, and 2013. Microsoft Support Diagnostic Tool (MSDT) is a service in Windows 11/10/8 and 7 and also on Windows Server. The tool allows Microsoft support representatives to analyze diagnostic data and find a resolution to issues.
MSDT called via URL protocol from an app like Word creates remote code execution vulnerability. However, An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. Nonetheless, The attacker can install programs, view, change, delete data, or create new accounts within the user’s rights. You can learn more about this vulnerability by clicking on this link.
The system includes the tool, accessible by pressing Windows key + R and typing MSDT in the run dialogue window. Additionally, I’ll offer a guide for using the Microsoft Support Diagnostic Tool & System Diagnostic Report.
I will be showing you how to resolve this issue via the Command Prompt, Registry Settings, and GPO.
Via the Command Prompt
Pending when the updates will be released, Microsoft has provided a workaround to fix the remote code execution vulnerability in MSDT. Below are the steps to mitigate this flaw.
First of all, run Command Prompt with Administrator privileges.
2: Run the following command to back up the registry key: “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
Note: The filename is the name you can give.
3: Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
Microsoft Support Diagnostic: Undo this Workaround
If for some reason you wish to undo this workaround due to Microsoft providing a permanent fix such as a Windows update etc., the following steps below will help in undoing the changes applied.
Run Command Prompt as Administrator.
To restore the registry key, execute the command “reg import filename”
Registry Settings to Disable MSDT URL Protocol
To fix this issue via the Registry Settings, you will need to create the DWORD value 32-bit named EnableDiagnostics and enter the value at 0.
Or use the command below
reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics” /t REG_DWORD /v EnableDiagnostics /d 0
Disable Diagnostic “Troubleshooting wizards” by GPO
This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel.
Computer Configuration/Policies/Administrative Templates/System/Troubleshooting and Diagnostics/Scripted Diagnostics
On the Troubleshooting: Allow users to access and run Troubleshooting Wizards policy, click on disabled
Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files.
Microsoft Support Diagnostic: Microsoft Defender Detections & Protections
Some customers sometimes use the built-in Microsoft Defender Antivirus or another Anti-virus solution. If you use the Microsoft Defender Antivirus, you should enable cloud-delivered protection and automatic sample submission. Microsoft reiterated that Customers of Microsoft Defender for Endpoint can enable the attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy.
Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:
- Trojan:Win32/Mesdetty.A (blocks msdt command line)
- Trojan:Win32/Mesdetty.B (blocks msdt command line)
- Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line).
Microsoft Defender for Endpoint provides customers with detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:
- Suspicious behavior by an Office application
- Suspicious behavior by Msdt.exe
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.