On the 30th of May 2022, Microsoft issued a statement on a zero-day remote code execution flaw tagged CVE-2022-30190 concerning the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. Microsoft Security Response Center team has detailed this security flaw and its impact on all certain versions of Windows and Windows Server. Tracked as CVE-2022-30190, security researcher Kevin Beaumont first discovered and reported the vulnerability dubbed “Follina” to Microsoft on April 12. Here are some related guides: How to deploy a function app from Visual Studio to Azure Platform, and how to Install Packages to Amazon Virtual Machine using Terraform.
The flaw abuses an Office feature to retrieve a hypertext markup language (HTML) file, which then uses MSDT to execute a snippet of PowerShell code. Beaumont and other security researchers confirmed that they were able to exploit the vulnerability on Office 2021, Office 2019, Office 2016, and Office 2013 respectively. Microsoft Support Diagnostic Tool (MSDT) is a service in Windows 11/10/8 and 7 and also on Windows Server. The tool allows Microsoft support representatives to analyze diagnostic data and find a resolution to issues.
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights. You can learn more about this vulnerability by clicking on this link.
The tool is included in the system and can be launched via Windows key + R, and type MSDT in the run dialogue window. In the future, I will be providing you with a guide on how to use the Microsoft Support Diagnostic Tool & System Diagnostic Report.
I will be showing you how to resolve this issue via the Command Prompt, Registry Settings, and GPO.
Via the Command Prompt
Pending when the updates will be released, Microsoft has provided a workaround to fix the remote code execution vulnerability in MSDT. Below are the steps to mitigate this flaw.
First of all, run Command Prompt with Administrator privileges.
2: Run the following command to back up the registry key: “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
Note: The filename is the name you can give.
3: Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
Undo this Workaround
If for some reason you wish to undo this workaround due to Microsoft providing a permanent fix such as a Windows update etc., the following steps below will help in undoing the changes applied.
Run Command Prompt as Administrator.
To restore the registry key, execute the command “reg import filename”
Registry Settings to Disable MSDT URL Protocol
To fix this issue via the Registry Settings, you will need to create the DWORD value 32-bit named EnableDiagnostics and enter the value at 0.
Or use the command below
reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics” /t REG_DWORD /v EnableDiagnostics /d 0
Disable “Troubleshooting wizards” by GPO
This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel.
Computer Configuration/Policies/Administrative Templates/System/Troubleshooting and Diagnostics/Scripted Diagnostics
On the Troubleshooting: Allow users to access and run Troubleshooting Wizards policy, click on disabled
Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files.
Microsoft Defender Detections & Protections
Some customers sometimes use the built-in Microsoft Defender Antivirus or another Anti-virus solution. If you use the Microsoft Defender Antivirus, you should enable cloud-delivered protection and automatic sample submission. Microsoft reiterated that Customers of Microsoft Defender for Endpoint can enable the attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy.
Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:
- Trojan:Win32/Mesdetty.A (blocks msdt command line)
- Trojan:Win32/Mesdetty.B (blocks msdt command line)
- Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line).
Microsoft Defender for Endpoint provides customers with detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:
- Suspicious behavior by an Office application
- Suspicious behavior by Msdt.exe
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.