Advisory 20

TLP Rating: White

Vulnerability in the Microsoft Support Diagnostic Tool (MSDT).

CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provides the following advisory.

On the 31st May 2022, Microsoft disclosed a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT). CERT Vanuatu has received an advisory from its collaborating partners the Australia Cyber Security Centre (ACSC) and the United Stated Cybersecurity Infrastructure Security Agency (CISA) of this threat.

CERTVU would like to advise its constituents using Microsoft Products to swiftly act on addressing this threat. Since it is a ‘Zero Day’ threat, there is no patch available to-date however, it is important to take note of the mitigation Process below.

What is it?

Microsoft has released a work-around guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as "Follina" - affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows.

This vulnerability, labelled “Follina”, can be exploited by an attacker sending a URL to a vulnerable machine. Successful exploitation on this vulnerability allows an attacker to install programs, view or change data, or create new accounts in line with the victim’s user permissions.

Disabling Microsoft Office Macros does not prevent exploitation of this vulnerability.

Mitigation Process / How do I Stay Safe?

A patch is not currently available. It is advised that all organizations and companies in Vanuatu who use Microsoft Office products should review their system configurations, and follow Microsoft’s guidance on implementing a workaround until a patch is available.

CERTVU also recommends:

  • Corporate networks using Microsoft Defender for Endpoint Security should follow Microsoft’s advice on how to block all Office applications from creating child processes.
  • Corporate networks using Group Policy should follow Microsoft’s advice on disabling Troubleshooting Wizards via the Enable Diagnostics registry value until a patch is available.

Microsoft Office users should continue to monitor Microsoft’s website for updates and future vulnerabilities.

References

  1. https://www.cyber.gov.au/acsc/view-all-content/alerts/exploitation-microsoft-office-vulnerability-follina
  2. https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability
  3. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/