Microsoft Follina Vulnerability Workaround (CVE-2022-30190)

Sidney Sahdala
Sidney Sahdala Miami, FLMember, Kaseya Certified, Kaseyan, Kaseya Staff

KASEYAN

Version:1.0

Description:

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

This package contains two Agent Procedures.

  1. Security - Microsoft Follina Vulnerability Workaround (CVE-2022-30190)
  2. Security - Revert Microsoft Follina Vulnerability Workaround Changes (CVE-2022-30190)

The first Agent Procedure fixes the vulnerability by deleting the registry key for the MSDT URL Protocol. This is per Microsoft's recommendation that can be found in the following link:

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability – Microsoft Security Response Center

Before the registry key is removed, the Agent Procedure takes a backup of the key and stores it in your Kworking\System folder.

The second Agent Procedure reverts the changes by importing the backed-up registry key in case if removing this causes problems for you. It shouldn't but just in case I added this Agent Procedure.

After applying the fix for the vulnerability, you should have your users reboot the system. You can add the reboot command to end of the Agent Procedure. I don't want to force a reboot; you decide what works best for you.

IMPORTANT: Some Antivirus and Zero Trust solutions may prevent changes to the registry. If this Agent Procedure never completes, or the entry isn't deleted, it is most likely due to your AV or Zero Trust solution you must allow changes to the registry

Instructions:

Extract the XML files in the zip file you downloaded

Go to:

Agent Procedures > Manage Procedures > Schedule / Create 

Import the Agent Procedures by right clicking on a folder in the list of folders and select:

Import Folder/Procedure

Click on the Camera button and navigate to the XML file in the zip you want to import.

Then click on Save

You should see the Agent Procedure appear in the folder you selected.

Run the Workaround fix on the endpoints you want to remove the vulnerability.