On Monday, May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.
A remote code execution vulnerability exists when MSDT uses the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
At the time of writing this blog post, Microsoft has not released a patch to fix this issue, but it has suggested a workaround: disable the MSDT URL protocol. Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links throughout the operating system.
Most of the Windows Client and Server Operating Systems are impacted. For full information, follow the Microsoft advisory link: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190.
Workaround
The Workaround to fix this vulnerability immediately is to delete the ms-msdt registry key. If you have a couple of machines to fix this vulnerability on, you can simply open the registry editor on each PC, browse to HKEY_CLASSES_ROOT, find ms-msdt, and delete this key. Alternatively, you can open a command prompt as an administrator on each PC and type the commands below.
The first line of the command will back up the registry key ms-msdt, and the second line of the code will delete the registry key.
reg export HKEY_CLASSES_ROOT\ms-msdt msdtregkeybackup.reg reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Delete msdtregbackup Registry key using Intune
If you use Microsoft Intune to manage all your organization devices, you can create a Powershell script and deploy it via Intune. I have created the below Powershell script and saved it in a file called msdtregfix.ps1.
if(Test-path C:\msdtregbackup)
{
reg export HKEY_CLASSES_ROOT\ms-msdt C:\msdtregbackup\msdtkey.reg /y
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
}
else
{
New-item "C:\msdtregbackup" -itemtype Directory
reg export HKEY_CLASSES_ROOT\ms-msdt C:\msdtregbackup\msdt.reg /y
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
}
Deploy a Powershell script from Intune
- Login on Microsoft Intune admin center
- Browse to Devices -> Windows -> Powershell Scripts
- Click on Add -> Type any suitable Name, for example: CVE-2022-30190 Vulnerability Fix.
- Script Location -> Browse to your Powershell Script
- Run this script using the logged-on credentials –> No
- Enforce script signature check–> No
- Run script in 64-bit PowerShell Host–> Yes
- Assignments > Assign your script to an Entra Security Group and add your test devices. Once the testing is completed, push this Powershell script to all user’s devices.
- Review + Add.
- Results of the script deployment.
Conclusion
In this blog post, you have seen how to fix Vulnerability CVE-2022-30190 on Windows devices. Apart from that, you have also learned how to manually delete a registry key and use Microsoft Intune.
