Microsoft released an official recommendation for CVE-2022-30190 “Follina”. RCE via OGNL in Confluence published.
Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-05-30 to 2022-06-06.
It’s a zero day allowing code execution in Office products. Historically, when there’s easy ways to execute code directly from Office, people use it to do bad things. This breaks the boundary of having macros disabled. Vendor detection is poor.
During the weekend additional samples based on this vulnerabilty in th ms-msdt handler were discovered Twitter, Twitter, SANS
In the meantime Microsoft issued mitigation recommendations, that have been published already: Disable the MSDT URL Protocol. Deploying this mitigation would best be done via a GPO.
reg export HKEY_CLASSES_ROOT\ms-msdt follina.reg
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Initially, the vendor advisory for this unauthenticated RCE did not include a patch. Unfortunately, the vulnerability was being actively exploited in the wild. The recommended mitigation was to restrict network access to vulnerable instances. Proof of Concept code is available and wide-spread scanning has started. The details show that this vulnerability exploits an OGNL injection.
curl -v http://127.0.0.1/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/
ALPHV compromised the federal state of Carinthia in May alphv…onion. The ransom is said to be around 5 Mio USD. They released a first set of files from the breach. The release included passport copies, bank information and is probably from the Covid19 test campaign.