DogWalk and several vulnerabilities in Exchange | Kaspersky official blog
Credit to Author: Editorial Team| Date: Wed, 10 Aug 2022 17:05:08 +0000
With this August patch Tuesday Microsoft fixed more than a hundred vulnerabilities. Some of the vulnerabilities require special attention from corporate cybersecurity personal. Among them there are 17 critical ones, two of which are zero-days. At least one vulnerability has already been actively exploited in the wild, so it would be wise not to delay the patch implementation. It is no coincidence that the US Cybersecurity and Infrastructure security agency recommends paying attention to this update.
DogWalk (aka CVE-2022-34713) — RCE vulnerability in MSDT
The most dangerous of the newly closed vulnerabilities is CVE-2022-34713. Potentially it allows remote execution of malicious code (belongs to the RCE type). CVE-2022-34713, dubbed DogWalk, is a vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT), like Follina, which made some hype in May of this year.
The problem lies in how the system handles Cabinet (.cab) archives. To exploit the vulnerability, attacker needs to lure the user to open a malicious file that saves the .diagcab archive to the Windows Startup folder so that its contents will be executed the next time the user restarts his computer and logs in.
Actually DogWalk was discovered two years ago, but then the system developers for some reason did not pay enough attention to this problem. Now the vulnerability is fixed, but Microsoft has already detected its exploitation.
Other vulnerabilities to watch out for
The second zero-day vulnerability closed last Tuesday is CVE-2022-30134. It is contained in Microsoft Exchange. Information about it was published before Microsoft was able to create the patch, but so far this vulnerability has not been exploited in the wild. Theoretically if an attacker manages to use CVE-2022-30134, he will be able to read the victim’s email correspondence. This is not the only flaw in Exchange that was fixed by the new patch. It also closes the CVE-2022-24516, CVE-2022-21980 and CVE-2022-24477 vulnerabilities that allow attackers to elevate their privileges.
As for the CVSS rating, two related vulnerabilities are conditional champions: CVE-2022-30133 and CVE-2022-35744. Both are found in the Point-to-Point Protocol (PPP). Both allow attackers to send requests to the remote access server, which can lead to the execution of malicious code on the machine. And both have the same CVSS score: 9.8.
For those who for some reasons cannot immediately install patches, Microsoft recommends closing port 1723 (vulnerabilities can only be exploited through it). However, be aware that this may disrupt the stability of communications on your network.
How to stay safe
We advise to install fresh Microsoft updates as soon as possible, and do not forget to check all the information in the FAQs, Mitigations, and Workarounds section on the update guide that is relevant to your infrastructure.
In addition, it should be remembered that all computers in the company with Internet access (whether they are workstations or servers) must be equipped with a reliable cybersecurity solution, capable to protect them against exploitation of even yet undetected vulnerabilities.