Hey everyone,

This forum post is to notify about a zero-day vulnerability that has been reported in Microsoft Security Diagnostic Tool [CVE-2022-30190]. Discovered by an independent cybersecurity researcher team nao_sec, the flaw has been dubbed as Follina.

As per MSRC's blog,

"A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."

Workarounds

Microsoft has released workarounds to mitigate the vulnerability by disabling the MSDT URL Protocol. Refer here for more info.

Detection & mitigation using Endpoint Central (on-premises) with VMP / Endpoint Security add-on

To detect the affected endpoints:

2) Navigate to Threats & patches > Threats > Software Vulnerabilities

3) Search for CVE-2022-30190 to find the affected systems.

4) Under the Affected Systems column, you'll get a total count of systems affected by this vulnerability.

5) Clicking on it will reveal the affected systems.

To mitigate the vulnerability:

1. Log in to the Endpoint Central console.

2. Navigate to Configurations > Script Repository > Templates and sync the templates by clicking on the refresh button.

3. Filter the templates based on the category Vulnerability Mitigation and select MS_MSDT_CVE-2022-30190_Workaround.bat 

4. Set the exit code to 0 (zero) and add the script to the script repository.

5. Create a custom script configuration to execute the workaround in the affected systems. Follow the steps mentioned here to deploy the custom script.