The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified two more flaws that are currently being actively exploited in the wild and have added them to its list of Known Exploited Vulnerabilities Catalog.
For those unversed, the Known Exploited Vulnerabilities Catalog is a list of vulnerabilities that CISA has identified as being exploited, or that have been used by threat actors.
Let’s have a look at both the flaws, which have received a high-severity score and are directory traversal vulnerabilities that could help threat actors install malware on the victim’s system.
Windows DogWalk Bug
Officially tracked as CVE-2022-34713 and publicly known as DogWalk, this vulnerability in Microsoft’s Windows Support Diagnostic Tool (MSDT) allows attackers to gain remote code execution (RCE) on compromised systems and add a malicious executable into the Windows Startup folder.
Apparently, the issue was originally discovered by a Hungarian security researcher, Imre Rad in December 2019 and reported to Microsoft. However, the Redmond giant dismissed his report saying it would not provide a fix, as it did not consider it a security vulnerability. As a result, Imre posted a detailed blog about the vulnerability in January 2020.
Later, security researcher j00sean brought the problem back to public attention this year by summarising what an attacker could achieve by exploiting it and provided video evidence:
This is for sure an underrated 0day on Microsoft Support Diagnostics Tool. To summarize:
1) Persistence by startup folder.
2) MOTW bypass.
3) Not flagged by chromium-based file downloaders (Chrome, Edge or Opera).
4) Defender bypass.
All-in-one. Enjoy!https://t.co/lgTnDSxYGM pic.twitter.com/UyNyEYlH4c
— j00sean (@j00sean) June 2, 2022
On Monday, Microsoft issued an advisory stating that successful exploitation requires user involvement, an obstacle that can be easily overcome through social engineering, particularly in email and web-based attacks:
- In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
- In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.
An unofficial patch has been available since early June from the 0patch micropatching service, for the majority of the impacted Windows versions (Windows 7/10/11 and Server 2008 through 2022).
Microsoft addressed CVE-2022-34713 on Monday by releasing the August 2022 Patch Tuesday security updates for Windows and acknowledging that the issue has been exploited in attacks.
UnRAR Bug Exploited
The second vulnerability, tagged as CVE-2022-30333, has been added to CISA’s Known Exploited Vulnerabilities Catalog.
The security issue, which was disclosed by Swiss company SonarSource in late June, is a path traversal vulnerability found in the Linux and Unix versions of UnRAR utility. This flaw could be used by attackers for remote code execution (RCE) to compromise the business email platform, Zimbra server without validation.
Earlier this month, the Metasploit penetration testing software added an exploit code.
Federal agencies in the United States are expected to apply vendor patches for both vulnerabilities by August 30.