Jump to content

CVE-2022-30190


Recommended Posts

Recently CVE-2022-30190 was disclosed by Microsoft (https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/) and is detected by Microsoft Defender. Whether my customers' ESET Endpoint is going to detect this? I cannot find any info to it.

Link to comment
Share on other sites

I just chatted ESET support and got the agent's permissions to add this.

Date: 2022-06-01 12:32:55 PDT
To: Everyone
From: Wyatt P.
    Can confirm we detect it as Win32/Exploit.CVE-2022-30190 trojan.
----------------------------------------------------------
Date: 2022-06-01 12:33:21 PDT
To: Everyone
From: Wyatt P.
    These are the Microsoft recommendations 
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
----------------------------------------------------------
Date: 2022-06-01 12:33:28 PDT
To: Everyone
From: Wyatt P.
    No patch from MS available at this moment

 

Link to comment
Share on other sites

13 minutes ago, TStowy65 said:

That is not enough to fully mitigate this vulnerability. See my posting here: https://forum.eset.com/topic/32571-ms-word-follina-exploit-not-detected/?do=findComment&comment=151719

Link to comment
Share on other sites

Posted (edited)

I will note that for anyone using Eset recommended anti-ransomware HIPS rules, this attack can be mitigated by adding C:\Windows\System32\msdt.exe -EDIT- and C:\Windows\SysWOW64\msdt.exe to the list of specific startup applications for the rule named "Deny child processes from Office 20xx processes."

Ref.: https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug

 

Edited by itman
Link to comment
Share on other sites

4 hours ago, itman said:

I will note that for anyone using Eset recommended anti-ransomware HIPS rules, this attack can be mitigated by adding C:\Windows\System32\msdt.exe to the list of specific startup applications for the rule named "Deny child processes from Office 20xx processes."

Ref.: https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug

 

And it also applies to: C:\Windows\SysWOW64\msdt.exe ?

Link to comment
Share on other sites

Posted (edited)
8 hours ago, czesetfan said:

And it also applies to: C:\Windows\SysWOW64\msdt.exe ?

If you are running a 32 bit version of MS Office, then the answer is yes. Also possibly if you are running a 32 bit version of Windows. Adding both System32 and SysWOW64 versions might be a good idea.

Edited by itman
Link to comment
Share on other sites

Posted (edited)

BTW - this ms-msdt use isn't the only exploit that currently exists in MS Office:

Quote

This was seen yesterday when Hickey converted existing Microsoft Word MSDT exploits to use the search-ms protocol handler we described earlier.

With this new PoC, when a user opens a Word document, it will automatically launch a 'search-ms' command to open a Windows Search window that lists executables on a remote SMB share. This share can be named whatever the threat actor wants, such as 'Critical Updates,' prompting the users to install the listed malware.

Microsoft Office search-ms: URI handler exploitation, requires user-interaction. Unpatched. pic.twitter.com/iYbZNtMpnx

— hackerfantastic.crypto (@hackerfantastic) June 1, 2022

Like the MSDT exploits, Hickey also showed that you could create RTF versions that automatically open a Windows Search window when the document is rendered in the Explorer preview pane.

Here is the same search-ms attack being leveraged through an RTF document when Windows Preview Pane is enabled... 😉 pic.twitter.com/AmOeGWltjm

— hackerfantastic.crypto (@hackerfantastic) June 1, 2022

By using this type of malicious Word document, threat actors can create elaborate phishing campaigns that automatically launch Windows Search windows on recipients' devices to trick them into launching malware.

While this exploit is not as severe as the MS-MSDT remote code execution vulnerability, it could lead to abuse by industrious threat actors who want to create sophisticated phishing campaigns.

Although we've already found ways threat actors could exploit this new flaw in the wild, we're not going to share this information for obvious reasons.

To mitigate this vulnerability, Hickey says you can use the same mitigation for ms-msdt exploits - delete the search-ms protocol handler from the Windows Registry.

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg"
  3. Execute the command "reg delete HKEY_CLASSES_ROOT\search-ms /f"

 

https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/

This leads me to believe that it might be advisable to take the Microsoft Defender ASLR rule approach in regards to MS Office executable's and block all child process startup from them. Of course, this might bork something legit.

Edited by itman
Link to comment
Share on other sites

On 6/1/2022 at 7:19 PM, itman said:

I will note that for anyone using Eset recommended anti-ransomware HIPS rules, this attack can be mitigated by adding C:\Windows\System32\msdt.exe -EDIT- and C:\Windows\SysWOW64\msdt.exe to the list of specific startup applications for the rule named "Deny child processes from Office 20xx processes."

Ref.: https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug

 

Thanks for this @itmanis there anything else that I can do with ESET to block this?  I have done the MS registry key already at work.

Cheers.

Link to comment
Share on other sites

Posted (edited)
13 hours ago, Trooper said:

Thanks for this @itmanis there anything else that I can do with ESET to block this?  I have done the MS registry key already at work.

Based on my testing of recent Follina malware samples, Eset has you covered in regards to this specific msdt.exe exploit. All samples were detected upon download; either by signature detection of payload or via Eset exploit protection by CVE.

However, there's another exploit technique that has been discovered that I posted about over at wilderssecurity.com and described here: https://www.bleepingcomputer.com/news/security/new-dogwalk-windows-zero-day-bug-gets-free-unofficial-patches/ . This one appears to be a Microsoft Defender bypass since opening of the malware dropper, a .cab file, bypassed Mark-of-the-Web checking. Until shown otherwise, I would say Eset should cover this one also.

-EDIT- Looks like Eset has issues with Qbot malware deployment of Follina exploit: https://forum.eset.com/topic/32642-eset-not-detecting-qbot-deploying-follina-exploit/

Edited by itman
Link to comment
Share on other sites

6 hours ago, itman said:

Based on my testing of recent Follina malware samples, Eset has you covered in regards to this specific msdt.exe exploit. All samples were detected upon download; either by signature detection of payload or via Eset exploit protection by CVE.

However, there's another exploit technique that has been discovered that I posted about over at wilderssecurity.com and described here: https://www.bleepingcomputer.com/news/security/new-dogwalk-windows-zero-day-bug-gets-free-unofficial-patches/ . This one appears to be a Microsoft Defender bypass since opening of the malware dropper, a .cab file, bypassed Mark-of-the-Web checking. Until shown otherwise, I would say Eset should cover this one also.

-EDIT- Looks like Eset has issues with Qbot malware deployment of Follina exploit: https://forum.eset.com/topic/32642-eset-not-detecting-qbot-deploying-follina-exploit/

Thank you for your reply.  Looks like ESET has now addressed the Qbot malware deployment as well.  Cheers.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...