One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 4907220 |
| Date de publication | 2022-05-31 10:18:52 (vue: 2022-05-31 18:06:15) |
| Titre | Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild |
| Texte | FortiGuard Labs is aware that a 0-day vulnerability in Microsoft Support Diagnostic Tool is being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Assigned CVE-2022-30190, successful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.Why is the Significant?This is significant because the vulnerability is a 0-day vulnerability in Microsoft Support Diagnostic Tool that allows remote code execution and is being exploited in the wild.What is CVE-2022-30190?The vulnerability is a remote code execution vulnerability that was named "Follina" by a security researcher Kevin Beaumont. The name "Follina" was derived from the 0-day code referencing "0438", which is the area code of Follina, Italy. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application such as Word. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.A malicious Word file that is widely discussed online abuses the remote template feature in Microsoft Word and retrieves a remote HTML file. The retrieved HTML file uses the "ms-msdt" MSProtocol URI scheme load and execute the PowerShell payload. Note that ms-msdt refers to "Microsoft Support Diagnostic Tool", which a legitimate Microsoft tool collects and sends system information back to the Microsoft for problem diagnostic.What is concerning is that the vulnerability reportedly can be exploited if even if macros, one of the most prevalent ways to deliver malware via Microsoft Office files, are disabled. Also, if the document file is changed to RTF form, even previewing the document the vulnerability in Windows Explorer can trigged the exploit.How Widespread is this?While the attack that leverages the vulnerability does not appear to be widespread, however more attacks are expected as Proof-of-Concept code is available and a patch has not yet been released. Does the Vulnerability Have CVE Number?CVE-2022-30190 has been assigned to the vulnerability.Has Microsoft Released an Advisory?Yes. See the Appendix for a link to " Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability".Has Microsoft Released a Patch?No, Microsoft has not released a patch yet.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the known sample that are associated with CVE-2022-30190:MSWord/Agent.2E52!tr.dldrKnown network IOCs for CVE-2022-30190 are blocked by the WebFiltering client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-30190. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?Microsoft released an official blog on CVE-2022-30190 that includes mitigation information. See the Appendix for a link to "Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability". |
| Envoyé | Oui |
| Condensat | 0438 12th 2022 2e52 30190 30190:msword/agent abuses accounts additional advisory against allowed allows also any appear appeared appendix application april arbitrary are area assigned associated attack attacker attacks available aware back beaumont because becomes been being blocked blog calling can change changed client code collects concept concerning context coverage create currently cve data day delete deliver derived diagnostic disabled discussed dldrknown document does even execute execution expected exploit exploitation exploited exploits explorer feature file files first follina follina: following form fortiguard from guidance has have how however html includes information install investigating iocs italy kevin known labs legitimate leverages link load macros malicious malware microsoft mitigation more most msdt msprotocol name named network new not note number office official one online patch payload powershell prevalent previewing privileges problem programs proof provides referencing refers released remote reportedly researcher retrieved retrieves rights rtf run sample scheme security see sends signal significant status successful successfully such suggested support system template then threat tool trigged updated uri user uses view virustotal vulnerability ways webfiltering what when which who why widely widespread wild will windows word yet |
| Tags | Malware Tool Vulnerability Threat |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.