Microsoft said it fixed a variant of a publicly known vulnerability that was first reported to the company in 2019. The flaw, known as “Dogwalk,” has been exploited by attackers, according to Microsoft in its regularly scheduled security update.
The important-severity remote code execution flaw (CVE-2022-34713) exists in the Microsoft Windows Support Diagnostic tool, which collects information and sends it to Microsoft Support in order to identify resolutions for various issues. Microsoft did not give further details about how the flaw has been exploited, but the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added it to its Known Exploited Vulnerabilities catalog.
The flaw was first discovered by security researcher Imre Rad and publicly disclosed in January 2020. While attackers can be remote to exploit the flaw, they would need to convince a target to open a specially crafted .diagcab file, either by sending them an email with the file or hosting a website that contains the file.
“An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file,” according to Microsoft’s security advisory on Tuesday.
In the initial 2020 public disclosure, Rad said that a flaw in the implementation of the Windows diagnostic tool enables attackers to save any files to any location on the file system before the integrity of these packages can be checked. An attacker could drop a file to the Windows Startup folder to be executed by the operating system when the target logs in, Rad said. When Rad reported the flaw initially to Microsoft in December 2019, the company responded that “as written this wouldn’t be considered a vulnerability.”
“The issue is that to make use of this attack an attacker needs to create what amounts to a virus, convince a user to download the virus, and then run it,” said Microsoft in its initial response to Rad. “No security boundaries are being bypassed, the PoC doesn’t escalate permissions in any way, or do anything the user couldn’t do already.”
However, in June the flaw resurfaced after a security researcher (going by the Twitter handle j00sean) found it again. Rad said that Microsoft then reassessed the issue “per our updated Windows bug bar… and determined that this issue meets our criteria for servicing with a security update.”
It’s not the first time Microsoft has backtracked after saying that it did not consider a reported bug to be a security flaw. In June, Microsoft issued a patch for the previously disclosed remote code execution “Follina” vulnerability (CVE-2022-30190) that had been under active exploitation by attackers. The patch came two months after the flaw was first reported to Microsoft, in mid-April, after a researcher informed the Microsoft Security Response Center (MSRC) that he had uncovered an exploit in the wild. At the time, Microsoft closed the ticket as it did not consider the vulnerability to be a security issue. The issue was reported again on May 27, and not long after that Microsoft released an advisory without a patch.
In its Patch Tuesday updates this week, Microsoft also issued a fix for another flaw that was previously disclosed (CVE-2022-30134) in Exchange, which if exploited could lead to information disclosure. The flaw has not been exploited in the wild, however, and Microsoft said that exploitation is “unlikely” due to the different factors that would need to go into an attack.
“This vulnerability requires that a user with an affected version of Exchange Server access a malicious server,” according to Microsoft’s security release. “An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.”
Overall, Microsoft released patches addressing flaws tied to 141 CVEs, including 17 rated critical and 102 rated important. Notable critical-severity flaws include an issue in the SMB Client and Server (CVE-2022-35804) that exists in the way that the Microsoft Server Message Block 3.1.1. (SMBv3) protocol handles certain requests. The vulnerability could enable a remote, unauthenticated attacker to execute code on impacted SMB servers. The advisory also includes three elevation of privilege bugs in Microsoft Exchange server (CVE-2022-21980, CVE-2022-24516 and CVE-2022-24477). The flaws could allow a bad actor to take control of Exchange user mailboxes in order to read or send emails; however, the attacker would need to first be authenticated to exploit the flaw.