CVE-2022-30190 aka Follina

Fortify Security Team
Jun 13, 2022

Move over log4j, there is a new 0-day vulnerability being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Successful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Why is the Significant?

This is significant because the vulnerability is a 0-day vulnerability in Microsoft Support Diagnostic Tool that allows remote code execution and is being actively exploited in the wild.

What is CVE-2022-30190?

CVE-2022-30190 is a remote code execution vulnerability and was named “Follina” by a security researcher Kevin Beaumont. The name “Follina” was derived from the 0-day code referencing “0438”, which is the area code of Follina, Italy. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application such as Word. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

A malicious Word file that is widely discussed online abuses the remote template feature in Microsoft Word and retrieves a remote HTML file. The retrieved HTML file uses the “ms-msdt” MSProtocol URI scheme to load and execute the PowerShell payload. Note that ms-msdt refers to “Microsoft Support Diagnostic Tool”, which a legitimate Microsoft tool collects and sends system information back to the Microsoft for problem diagnostic.

What is concerning is that the vulnerability reportedly can be exploited if even if macros, one of the most prevalent ways to deliver malware via Microsoft Office files, are disabled. Also, if the document file is changed to RTF form, even previewing the document in Windows Explorer can trigger the exploit.

How Widespread is this?

While the attack that leverages the vulnerability does not appear to be widespread, however more attacks are expected as Proof-of-Concept code is available and a patch has not yet been released.

Has Microsoft Released a Patch?

No, Microsoft has not released a patch yet.

Microsoft Windows versions affected?

  • Microsoft
    • Versions Affected:
      • 10 Version 1809 for 32-bit Systems
      • 10 Version 1809 for x64-based Systems
      • 10 Version 1809 for ARM64-based Systems
      • 10 for 32-bit Systems
      • 10 for x64-based Systems
      • 10 Version 1607 for 32-bit Systems
      • 10 Version 1607 for x64-based Systems
      • 7 for 32-bit Systems Service Pack 1
      • 7 for x64-based Systems Service Pack 1
      • 8.1 for 32-bit systems
      • 8.1 for x64-based systems
      • RT 8.1
    • Product: Windows Server
    • Versions Affected:
      • 2019
      • 2019 (Core installation)
      • 2016
      • 2016 (Core installation)
      • 2008 for 32-bit Systems Service Pack 2
      • 2008 for 32-bit Systems Service Pack 2 (Core installation)
      • 2008 for x64-based Systems Service Pack 2
      • 2008 for x64-based Systems Service Pack 2 (Core installation)
      • 2008 R2 for x64-based Systems Service Pack 1
      • 2008 R2 for x64-based Systems Service Pack 1 (Core installation)
      • 2012
      • 2012 (Core installation)
      • 2012 R2
      • 2012 R2 (Core installation)
    • Product: Windows 10 Version 21H1 for x64-based Systems
    • Product: Windows 10 Version 21H1 for ARM64-based Systems
    • Product: Windows 10 Version 21H1 for 32-bit Systems
    • Product: Windows Server 2022
    • Product: Windows Server 2022 (Server Core installation)
    • Product: Windows Server 2022 Azure Edition Core Hotpatch
    • Product: Windows 10 Version 20H2 for x64-based Systems
    • Product: Windows 10 Version 20H2 for 32-bit Systems
    • Product: Windows 10 Version 20H2 for ARM64-based Systems
    • Product: Windows Server, version 20H2 (Server Core Installation)
    • Product: Windows 11 for x64-based Systems
    • Product: Windows 11 for ARM64-based Systems
    • Product: Windows 10 Version 21H2 for 32-bit Systems
    • Product: Windows 10 Version 21H2 for ARM64-based Systems

     Windows

    • Product: Windows 10 Version 21H2 for x64-based Systems

Recent Posts

MedusaLocker Ransomware Technical Details

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every...

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

Ragnarlocker Ransomware IOCs

RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data....

IOCs Associated with Ranzy Locker Ransomware

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...

Conti Ransomware

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployer's of the ransomware a wage rather than a...

BlackMatter Ransomware

This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised...

Indicators of Compromise Associated with IcedID

FBI reporting has indicated a recent increase in IcedID malware acting as a “dropper,” infecting victims with additional malware. Examples of ransomware variants dropped by IcedID include Defray777, GlobeImposter, Cuba, Conti, and REvil (aka Sodinokibi). First...