On Monday, May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data or create new accounts in the context allowed by the user’s rights.
Currently at the time of writing this blog post, there is no patch available from Microsoft to fix this issue but there is a workaround suggested by Microsoft to disable MSDT URL protocol. Disabling the MSDT URL protocol prevents troubleshooters from being launched as links including links throughout the operating system.
Most of the Windows Client and Windows Server Operating Systems are impacted. For full information, you can follow the Microsoft advisory link https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190.
Workaround
The Workaround to fix this vulnerability immediately is to delete the ms-msdt registry key. If you have a couple of machines to fix this vulnerability on, then you can simply open the registry editor on each PC, browse to HKEY_CLASSES_ROOT find ms-msdt, and delete this key. Alternatively, you can open a command prompt as administrator on each PC and type below commands.
First line of the command will take the backup of the registry key ms-msdt and the second line of the code will delete the registry key.
reg export HKEY_CLASSES_ROOT\ms-msdt msdtregkeybackup.reg reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Delete msdtregbackup Registry key using Intune
If you are using Microsoft Intune to manage all your organization devices, you can simply create a Powershell script and deploy it via Intune. I have created the below Powershell script and saved it in a file called msdtregfix.ps1.
if(Test-path C:\msdtregbackup)
{
reg export HKEY_CLASSES_ROOT\ms-msdt C:\msdtregbackup\msdtkey.reg /y
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
}
else
{
New-item "C:\msdtregbackup" -itemtype Directory
reg export HKEY_CLASSES_ROOT\ms-msdt C:\msdtregbackup\msdt.reg /y
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
}
Deploy a Powershell script from Intune
- Login on Microsoft Intune admin center
- Browse to Devices -> Windows -> Powershell Scripts
- Click on Add -> Type any suitable Name for example: CVE-2022-30190 Vulnerability Fix.
- Script Location -> Browse to your Powershell Script
- Run this script using the logged-on credentials –> No
- Enforce script signature check–> No
- Run script in 64-bit PowerShell Host–> Yes
- Assignments -> Assign your script to an Azure AD security Group and add your test devices to that group. Once the testing is completed, push this Powershell script to all user’s devices.
- Review + Add.
- Results of the script deployment.
Conclusion
In this blog post, you have seen how to fix the Vulnerability CVE-2022-30190 on Windows devices. Apart from that, How to delete a registry key manually and also by using Microsoft Intune.
