Yesterday, on August 9 2022, the U.S Cybersecurity and Infrastructure Security Agency (CISA) updated their catalog of Known Exploited Vulnerabilities with two more flaws. The CISA updated the catalog based on evidence of active exploitation.
One of those two flaw has exploit code publicly available. That code has spent more than two years as a zero-day bug in the Windows Support Diagnostic Tool (MSDT).
The flaws have received a high severity score and are recognized as directory traversal vulnerabilities, which could help the attackers plant malware on a targeted system.
The first bug is officially tracked as CVE-2022-34713 and informally referred to as DogWalk. This flaw in MSDT facilitates the threat actor to deploy a malicious executable into the Windows Startup folder.
Researcher Imre Rad first reported the issue to Microsoft in January 2022. However, his report was dismissed as it was found misclassified as not describing a security risk. Consequently, the bug made its comeback to public attention this year.
On the other hand, the second bug added to CISA’s Known Exploited Vulnerabilities catalog is tracked as CVE-2022-30333. This bug is a path traversal bug in the UnRar utility for Linux and Unix systems.
This bug facilitates an attacker to plant a malicious file on the target system by extracting it to an arbitrary location during the unpack operation.
The federal agencies in the US will apply the updates from the vendors by August 30.
