Microsoft fixes exploited zero-day in Windows Support Diagnostic Tool (CVE-2022-34713)

The August 2022 Patch Tuesday has arrived, with fixes for an unexpectedly high number of vulnerabilities in various Microsoft products, including two zero-days: one actively exploited (CVE-2022-34713) and one not yet (CVE-2022-30134).

CVE-2022-34713

Vulnerabilities to prioritize

CVE-2022-34713 is a vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) that allows for remote code execution. For an attacker to exploit it, they must trick targets into opening a specially crafted file (delivered via email or downloaded from a website).

“Anything actively exploited in the wild must be at the top of the list of things to patch. This one is related to a wave of attacks in May when malicious documents were used to gain code execution via the MSDT tool,” noted Kevin Breen, Director of Cyber Threat Research at Immersive Labs.

According to Microsoft, CVE-2022-34713 is a variant of the vulnerability publicly known as Dogwalk.

“With reports that CVE-2022-34713 has been exploited in the wild, it would appear that attackers are looking to take advantage of flaws within MSDT as these types of flaws are extremely valuable to launch spearphishing attacks. A variety of threat actors leverage spearphishing, from advanced persistent threat (APT) groups to ransomware affiliates,” commented Satnam Narang, senior staff research engineer at Tenable.

“We’ve seen flaws like CVE-2017-11882, a remote code execution bug in Microsoft Office, continue to be exploited years after patches have been made available. For attackers, bugs that can be executed via malicious documents remain a valuable tool, so flaws like Follina and CVE-2022-34713 will continue to be used for months. Therefore, it is vital that organizations apply the available patches as soon as possible.”

CVE-2022-30134 is a publicly known information disclosure vulnerability that affects Microsoft Exchange and could be exploited by attackers to read targeted email messages, but it’s not under attack at the moment.

More importantly, it seems, three other critical elevation of privilege vulnerabilities affecting Exchange – CVE-2022-24477, CVE-2022-24516, CVE-2022-21980 – have been patched by Microsoft.

“Rarely are elevation of privilege (EoP) bugs rated Critical, but these certainly qualify. These bugs could allow an authenticated attacker to take over the mailboxes of all Exchange users. They could then read and send emails or download attachments from any mailbox on the Exchange server. Administrators will also need to enable Extended Protection to fully address these vulnerabilities,” noted Dustin Childs, with Trend Micro’s Zero Day Initiative.

Additional instructions on how to perform those particular updates on on-prem Exchange installations have been provided by Microsoft, and affected users are urged to install them immediately.

“Exchanges can be treasure troves of information, making them valuable targets for attackers,” Breen commented.

“With CVE-2022-24477, for example, an attacker can gain initial access to a user’s host and could take over the mailboxes for all exchange users, sending and reading emails and documents. For attackers focused on business email compromise this kind of vulnerability can be extremely damaging.”

Finally, there’s CVE-2022-35804, an unauthenticated RCE affecting SMB clients and servers.

Childs says it’s potentially wormable and that while there is a workaround (disabling SMBv3 compression), applying the update is to be preferred.

“Microsoft has included a set of remediations that can prevent the attack from being successful, so organisations should consider applying them as soon as possible. Any mitigations that are applied should be tested for compatibility with any interacting services to ensure business continuity is not affected. The patch notes also include advice on limiting access from external connections to the SMB port 445,” Breen added.

Don't miss