The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two more flaws to its catalog of Known Exploited Vulnerabilities, based on evidence of active exploitation.
One of them has spent more than two years as a zero-day bug in the Windows Support Diagnostic Tool (MSDT) and it has exploit code publicly available.
Both security issues have received a high-severity score and are directory traversal vulnerabilities that could help attackers plant malware on a target system.
Windows DogWalk bug
Officially tracked as CVE-2022-34713 and informally referred to as DogWalk, the security flaw in MSDT allows an attacker to place a malicious executable into the Windows Startup folder.
The issue was initially reported to Microsoft by researcher Imre Rad in January 2020 but his report was misclassified as not describing a security risk and dismissed as such.
The problem came back to public attention this year by security researcher j00sean, who summarized what an attacker could achieve by exploiting it and provided video proof:
Successful exploitation requires user interaction, an obstacle easy to surpass through social engineering, especially in email and web-based attacks, Microsoft says in an advisory today:
In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.
An unofficial patch exists since early June from the 0patch micropatching service, for most of the affected Windows versions (Windows 7/10/11 and Server 2008 through 2022).
Microsoft addressed CVE-2022-34713 today as part of the August 2022 security updates for Windows. The company notes that the issue has been exploited in attacks.
UnRAR bug exploited
The second vulnerability added to CISA’s Known Exploited Vulnerabilities Catalog is tracked as CVE-2022-30333 and is a path traversal bug in the UnRAR utility for Linux and Unix systems.
An attacker could leverage it to plant a malicious file on the target system by extracting it to an arbitrary location during the unpack operation.
The security issue was disclosed by Swiss company SonarSource in late June in a report describing how it could be used for remote code execution to compromise a Zimbra email server without authentication.
Exploit code has been added to the Metasploit penetration testing software earlier this month.
For both vulnerabilities, federal agencies in the U.S. are expected to apply the updates from the vendors by August 30.