‘Follina’ CVE-2022-30190 0-Day: What You Need To Know

On May 27, 2022, the NAO Security Cyber Security Research Team reported[i] that had observed an interesting malicious document that had been submitted to VirusTotal[ii], allegedly originating in Belarus. In question was a Microsoft 0-day, CVE-2022-30190[iii] now known as ‘Follina’[iv], that leverages the aforementioned, weaponized DOCX document[v] (the very one noted by the NAO Security Cyber Security Research Team noted in their tweet). This malicious document has been specially crafted and devised to load an extremely specific remote HTML file through the use of the MSHTML engine.

Once the weaponized file has been opened by a victim, the HTML file mentioned previously takes advantage of JavaScript, and replaces its own URL with a new one that contains the ms-msdt protocol scheme. This change results in the invocation of Microsoft Office which then enables the launch of the Microsoft Support Diagnostic Tool utility (msdt.exe)[vi]. The utility in this case is accompanied by with specific arguments that facilitate the execution of remote code and an arbitrary Microsoft PowerShell payload. Essentially this enables an attacker to execute arbitrary code with the privileges of the calling application resulting in given the attacker the ability to a multitude of things including:

• Installation of applications and programs
• View, change, or delete data
• Create new users based on the level of privilege associated with the credentials obtained by the attacker

The NetWitness Threat Research and Intelligence Content team is currently finalizing a body of research related to the ‘Follina’ 0-day vulnerability and the conditions associated with its potential exploitation.  A more detailed blog is forth coming and will outline in greater detail the nature of the vulnerability, its potential for exploitation, what else you need to know in order to ensure your environment are best prepared for threats associated with this vulnerability.

For more information on CVE-2022-30190 we recommend referencing the following blog by the Microsoft Security Response Center (MSRC):

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

For additional information regarding NetWitness threat intelligence content you can put in place today to better enhance and prepare your environment for potential exploitation of CVE-2022-30190 we recommend that you visit cms.netwitness.com and search for all content related to PowerShell. In doing so, you will find forty-eight (48) pieces of content that address Microsoft PowerShell including:

• Bundles
• Application Rules
• Lua Parsers
• NetWitness Reports

[i] https://twitter.com/nao_sec/status/1530196847679401984

[ii] https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection

[iii] https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

[iv] https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

[v] MD5:52945af1def85b171870b31fa4782e52

[vi] https://docs.microsoft.com/en-us/troubleshoot/sql/general/answers-questions-msdt