CISAnalysis - June 20, 2022

It’s Monday and time to take a gander at CISA’s Known Exploited Vulnerabilities Catalog.

The only new addition to the list is the Follina Zero-Day Vulnerability, CVE-2022-30190, but it’s a doozy as we are all well-aware.

Follina is a remote code execution vulnerability within the Microsoft Windows Support Diagnostic Tool that can be exploited through a malicious MS Office document. The method of exploitation for this vulnerability involves malicious email attachments and social engineering. A successful exploitation allows an attack to run arbitrary code with the privileges of the calling application – install programs, view, modify and destroy data, etc.

Although Follina has been actively exploited by malicious, state-backed actors like Chinese APT actor TA413, Microsoft has continually downplayed the vulnerability’s severity. Many exploit attempts have been noted to have targeted EU and US government workers.

How Does It Work?

A malicious document attached to some sort of urgent sounding email is opened. This infected file contains a link to an HTML file that uses the ms-msdt MSProtocol URI scheme to execute PowerShell code without directly launching powershell.exe.

Mitigation

A patch for CVE-2022-30190 was released with Microsoft’s June 2022 cumulative Windows Updates. While the update doesn’t prevent msdt.exe from automatically spawning, it does prevent PowerShell injection.

Though Microsoft is downplaying Follina, It's important to make sure your systems are patched as this vulnerability is being actively exploited in the wild. We would be happy to assist you in deploying the updates in your environment. Click here to get started.