Dogwalk RCE variant among 121 vulnerabilities fixed in Microsoft's August Patch Tuesday

Microsoft has patched 17 ‘critical’ vulnerabilities and one remote code execution (RCE) zero-day in its August monthly Patch Tuesday.

A total of 121 vulnerabilities were patched in the Tuesday update, as well as 20 additional Chromium-based Microsoft Edge flaws on Friday 5 August.

Impacting Microsoft Windows Support Diagnostic Tool (MDST), the zero-day vulnerability (CVE-2022-34713) is among the most notable fixes this month and is a variant of the previously disclosed ‘Dogwalk’, Microsoft said.

Rated 7.8 on the CVSSv3 severity scale, it can be exploited by tricking a target into opening a malicious document via email phishing, or through an attacker-controlled website that hosts a malicious file.

Dogwalk drew major attention in May 2022 but dates back to an initial discovery in 2020. It was ‘lazily’ named by a security researcher who was walking his dog at the time of being asked to name it, he claimed.

The vulnerability itself is a path traversal flaw in MDST affecting Windows 7 devices or newer. To exploit it, targets have to become infected with a malicious .diagcab file which drops the payload into the Windows Startup folder and executed by Windows when the user next logs in, according to an analysis by SOC Prime.

A zero-day vulnerability is one that has been previously disclosed publicly and with active exploitation spotted. A separate RCE flaw in MDST (CVE-2022-35743) was also patched this month, but active exploitation has not been found and therefore cannot be considered a zero-day.

Microsoft categorised 17 of the now-patched vulnerabilities as ‘critical’ since they facilitated the elevation of privileges and RCE. Only three of the 121 total flaws were classified as ‘critical’ on the CVSSv3 severity scale - vulnerabilities with scores between 9.0 and 10.0.

All three of the most severe vulnerabilities were all RCEs with one affecting Windows Network File System (NFS) (CVE-2022-34715) and two separate flaws impacting the Windows Point-to-Point Protocol (PPP) (CVE-2022-30133 and CVE-2022-35744).

CVE-2022-34715 was classed as a low-complexity exploit by Microsoft and involves an attacker making an unauthenticated call to an NFS service (version 4.0) to trigger an RCE.

Although rated 9.8/10.0 on the CVSSv3 scale, Microsoft branded this vulnerability as ‘important’ - the second-highest severity rating because a target would be presented with a prompt or warning during the kill chain.

CVE-2022-30133 and CVE-2022-35744 were both rated 9.8/10.0 on the CVSSv3 scale and also classified as ‘critical’ by Microsoft since RCE could be achieved without any user intervention at all.

In both cases, an unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS), Microsoft said, which could lead to RCE on the RAS server machine.

The remaining critical-rated vulnerabilities, as classified by Microsoft, all fell below the ‘critical’ threshold of the CVSSv3 scale but require no user intervention to exploit them.

The remaining flaws impacted the following: Active Directory Domain Services, Windows Secure Socket Tunneling Protocol, Windows Hyper-V, SMB Client and Server, and Microsoft Exchange Server.

The full list of fixed vulnerabilities can be found on Microsoft’s dedicated web page.

August’s Patch Tuesday marks the second-biggest round of updates in 2022, behind April’s which fixed 145 different flaws.

Early reports from system administrator communities are indicating that the updates are applying successfully and not impacting any wider components as Patch Tuesday updates have in the past.

Earlier this year, Windows Server admins collectively agreed to forgo a month of patches due to the security updates causing other services in their IT environments to break.