[Zero-day] Microsoft Security Diagnostic Tool vulnerability causes RCE - Workaround released

[Zero-day] Microsoft Security Diagnostic Tool vulnerability causes RCE - Workaround released

Hey everyone,

 

This forum post is to notify about a zero-day vulnerability that has been reported in Microsoft Security Diagnostic Tool [CVE-2022-30190]. Discovered by an independent cybersecurity researcher team nao_sec, the flaw has been dubbed as Follina.


CVE ID
Description
Impact
CVE-2022-30190
Zero-day
Remote Code Execution

As per MSRC's blog,

 

"A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."


Workarounds

 

Microsoft has released workarounds to mitigate the vulnerability by disabling the MSDT URL Protocol. Refer here for more info.

 


Detection & mitigation using Endpoint Central (on-premises) with VMP / Endpoint Security add-on

 

To detect the affected endpoints:

 

1) Log in to the Endpoint Central web console.

2) Navigate to Threats & patches > Threats > Software Vulnerabilities

 

3) Search for CVE-2022-30190 to find the affected systems.

 

4) Under the Affected Systems column, you'll get a total count of systems affected by this vulnerability.

 

5) Clicking on it will reveal the affected systems.

 

 

 

To mitigate the vulnerability:

 

  1. Log in to the Endpoint Central console.

  2. Navigate to Configurations > Script Repository > Templates and sync the templates by clicking on the refresh button.

  3. Filter the templates based on the category Vulnerability Mitigation and select MS_MSDT_CVE-2022-30190_Workaround.bat 

  4. Set the exit code to 0 (zero) and add the script to the script repository.

  5. Create a custom script configuration to execute the workaround in the affected systems. Follow the steps mentioned here to deploy the custom script.


If you have any queries, please comment below the post or reach out to us at: