icetray - Fotolia

DogWalk zero-day squashed on August Patch Tuesday

In addition to a long-simmering bug in the Microsoft Support Diagnostic Tool, Microsoft corrects a sizeable number of flaws in its Azure Site Recovery product.

Microsoft resolved the DogWalk zero-day vulnerability on August Patch Tuesday, more than two years after a researcher reported it to the company.

Microsoft issued two advisories and patched two revised Common Vulnerabilities and Exposures to go along with 121 unique new CVEs, including 17 rated critical. The revised CVEs refer to .NET Framework DoS vulnerabilities -- CVE-2022-26832 and CVE-2022-30130 -- that had been released earlier this year. Customers should install monthly rollup KB5016268 on Windows 8.1 and Windows Server 2012 R2 systems that run .NET Framework 3.5 to get full protection from the vulnerabilities.

Microsoft corrects zero-day code-named DogWalk

Actively exploited in the wild, a Microsoft Support Diagnostic Tool (MSDT) remote-code execution vulnerability -- CVE-2022-34713 -- rated important was resolved by Microsoft on August Patch Tuesday. The zero-day, which was also publicly disclosed, affects all supported Windows OSes.

Chris Goettl

"There is functional code available, so more threat actors can get their hands on it and start to utilize it," said Chris Goettl, vice president of product management for security products at Ivanti, an IT asset and endpoint management company. "Because it has been confirmed in attacks in the wild, that definitely increases the concern."

Microsoft's notes indicate CVE-2022-34713 is a variant of the DogWalk vulnerability first reported to Microsoft by researcher Imre Rad in 2019, but a Twitter thread with Microsoft engineer Johnathan Norman confirmed the August Patch Tuesday security update will correct DogWalk.

Both DogWalk and the Follina zero-day (CVE-2022-30190) that Microsoft corrected on June Patch Tuesday capitalize on flaws in the MSDT. Both rely on the user on the vulnerable system to open a specially crafted file, such as an email attachment or a file downloaded from a website, to trigger the exploit.

Despite the reports of active exploitation, this bug is only rated important, but the presence of functional code should motivate administrators to resolve the CVE quickly.

"There are most likely nation-states and other threat actors playing with this one, so it should be at the top of the patching list for administrators this month," Goettl said.

Multiple fixes released for Exchange Server

Microsoft corrected six flaws -- CVE-2022-21979, CVE-2022-30134, CVE-2022-34692, CVE-2022-21980, CVE-2022-24477 and CVE-2022-24516 -- in the on-premises Exchange Server messaging platform.

The information disclosure flaw -- CVE-2022-30134 -- could enable a threat actor to read email stored on the Exchange Server. While only rated important, the bug should get top patching priority due to its heightened visibility as a publicly disclosed vulnerability.

Resolving most of these Exchange Server vulnerabilities will require extra work from administrators. According to Microsoft, Windows Extended Protection should be enabled on Exchange Server systems to combat man-in-the-middle attacks. Microsoft provides lengthy documentation and a PowerShell script that automates the setup process for Exchange Server 2013 CU23, Exchange Server 2016 CU22 and Exchange Server 2019 CU11 or later. All the systems also need the August Patch Tuesday security updates installed.

"I would say CVE-2022-30134 bumps up the urgency, so Exchange admins won't want to let this linger for too long," Goettl said. "Especially because it requires a little bit more investigation if they haven't done the [Windows] Extended Protection yet. This could be a larger project than just patching Exchange."

Patches related to printing will require diligence

Microsoft resolved two printer spooler elevation-of-privilege vulnerabilities -- CVE-2022-35755 and CVE-2022-35793 -- and removed a temporary mitigation for a Windows Key Distribution Center information disclosure vulnerability known as CVE-2021-33764. The company released a patch for the latter flaw in July 2021 that tightened security related to the Kerberos authentication protocol. 

As a result of this mitigation removal, devices on the network that use smart card authentication and aren't RFC 4456-compliant -- such as printers, scanners and multifunction devices -- could stop working. Microsoft had issued a knowledge base article -- KB5005408 -- to help administrators find and either update or replace these noncompliant devices before the hardening enforcement deadline on August Patch Tuesday.

"Any printers that are noncompliant will start to be denied, so once again printer functionality might be a headache for some until those printers have either been upgraded or removed," Goettl said.

Azure bugs dominate August Patch Tuesday

Customers who use services related to Azure should review the security updates closely as more than a third of this month's fixes relate to the cloud platform, including eight CVEs for the Azure RTOS GUIX Studio and 34 CVEs for Azure Site Recovery.

The number of corrections for the cloud-based disaster recovery tool surpassed the 33 fixes released in the July Patch Tuesday security updates and affect organizations that use a VMware-to-Azure setup. Microsoft released extensive documentation that explains how to protect vulnerable systems at this link.

Goettl said administrators will need to be adept at finding the affected infrastructure and have the stamina to execute all the manual configuration work properly.

"There's a lot of complexity to deal with, just like the last time around, but the sheer number of these vulnerabilities is a bit startling," Goettl said.

Next Steps

Microsoft neutralizes two zero-days for September Patch Tuesday

Dig Deeper on IT operations and infrastructure management