IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Dogwalk RCE variant among 121 vulnerabilities fixed in Microsoft's August Patch Tuesday

The second-biggest security update released by Microsoft this year featured 17 critical-rated RCEs and privilege escalation bugs

Microsoft has patched 17 ‘critical’ vulnerabilities and one remote code execution (RCE) zero-day in its August monthly Patch Tuesday.

A total of 121 vulnerabilities were patched in the Tuesday update, as well as 20 additional Chromium-based Microsoft Edge flaws on Friday 5 August.

Impacting Microsoft Windows Support Diagnostic Tool (MDST), the zero-day vulnerability (CVE-2022-34713) is among the most notable fixes this month and is a variant of the previously disclosed ‘Dogwalk’, Microsoft said.

Rated 7.8 on the CVSSv3 severity scale, it can be exploited by tricking a target into opening a malicious document via email phishing, or through an attacker-controlled website that hosts a malicious file.

Dogwalk drew major attention in May 2022 but dates back to an initial discovery in 2020. It was ‘lazily’ named by a security researcher who was walking his dog at the time of being asked to name it, he claimed

The vulnerability itself is a path traversal flaw in MDST affecting Windows 7 devices or newer. To exploit it, targets have to become infected with a malicious .diagcab file which drops the payload into the Windows Startup folder and executed by Windows when the user next logs in, according to an analysis by SOC Prime.

A zero-day vulnerability is one that has been previously disclosed publicly and with active exploitation spotted. A separate RCE flaw in MDST (CVE-2022-35743) was also patched this month, but active exploitation has not been found and therefore cannot be considered a zero-day.

Microsoft categorised 17 of the now-patched vulnerabilities as ‘critical’ since they facilitated the elevation of privileges and RCE. Only three of the 121 total flaws were classified as ‘critical’ on the CVSSv3 severity scale - vulnerabilities with scores between 9.0 and 10.0.

All three of the most severe vulnerabilities were all RCEs with one affecting Windows Network File System (NFS) (CVE-2022-34715) and two separate flaws impacting the Windows Point-to-Point Protocol (PPP) (CVE-2022-30133 and CVE-2022-35744).

CVE-2022-34715 was classed as a low-complexity exploit by Microsoft and involves an attacker making an unauthenticated call to an NFS service (version 4.0) to trigger an RCE.

Although rated 9.8/10.0 on the CVSSv3 scale, Microsoft branded this vulnerability as ‘important’ - the second-highest severity rating because a target would be presented with a prompt or warning during the kill chain.

CVE-2022-30133 and CVE-2022-35744 were both rated 9.8/10.0 on the CVSSv3 scale and also classified as ‘critical’ by Microsoft since RCE could be achieved without any user intervention at all.

In both cases, an unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS), Microsoft said, which could lead to RCE on the RAS server machine.

The remaining critical-rated vulnerabilities, as classified by Microsoft, all fell below the ‘critical’ threshold of the CVSSv3 scale but require no user intervention to exploit them.

The remaining flaws impacted the following: Active Directory Domain Services, Windows Secure Socket Tunneling Protocol, Windows Hyper-V, SMB Client and Server, and Microsoft Exchange Server.

The full list of fixed vulnerabilities can be found on Microsoft’s dedicated web page

August’s Patch Tuesday marks the second-biggest round of updates in 2022, behind April’s which fixed 145 different flaws.

Early reports from system administrator communities are indicating that the updates are applying successfully and not impacting any wider components as Patch Tuesday updates have in the past. 

Earlier this year, Windows Server admins collectively agreed to forgo a month of patches due to the security updates causing other services in their IT environments to break.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Q&A: Fred Voccola, Kaseya
channel

Q&A: Fred Voccola, Kaseya

30 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022