Exploits & Vulnerabilities
Microsoft Patches Zero-Day DogWalk Vulnerability
Microsoft has published a fix for CVE-2022-34713, a vulnerability labeled DogWalk that was first reported in 2019. DogWalk centers around the Microsoft Support Diagnostic Tool (MSDT), which was recently involved in attacks by cybercriminals and state actors using the Follina vulnerability.
Save to Folio
Microsoft has published a fix for CVE-2022-34713, a vulnerability labeled DogWalk that was first reported in 2019. The bug was originally not classified as an urgent issue, but it seems that the company reevaluated it in early August. Dogwalk centers around the Microsoft Support Diagnostic Tool (MSDT), which was recently involved in attacks by cybercriminals and state actors using the Follina vulnerability.
What is DogWalk?
DogWalk is named as such because it is a path traversal flaw that allows a malicious executable file to be stashed in the Windows Startup folder when a potential target opens a specially crafted “.diagcab” archive file (the .diagcab file contains a diagnostics configuration file).
A diagcab file is used for troubleshooting, helping to locate and fix hardware and software problems in Windows. These types of files are sometimes posted on websites and downloaded by users, and creators usually digitally sign them to verify that they are from a trusted source. They are run using MSDT.
DogWalk requires a social engineering element to be effective. The threat actor would need to convince a user to click on a link or open a document for the exploit to work. Ideally, the payload would then execute the next time the victim logs in to the system after it restarts.
The vulnerability affects all Windows versions, starting from Windows 7 and Server 2008 to the latest releases. As of this writing, Trend Micro has yet to encounter any real-world attack that weaponizes CVE-2022-34713CVE-2022-34713, but a proof-of-concept (POC) for this vulnerability has already been reported in 2019. The following provides analysis of a possible attack using this POC:
| DogWalk - CVE-2022-34713 | |
| Entry | • Spearphishing link • Spearphishing attachment • Drive-by download |
| Subject Process | • Msdt.exe |
| Installation | • Executing the .diagcab file causes it to spawn msdt.exe • Msdt.exe library sdiageng.dll loads, causing Path variable from .diagcfg to be loaded • Path variable points to attacker-controlled WebDAV server • File from the WebDAV server uses path traversal technique to cause the payload to be dropped in %Startup% folder |
| Payload Execution | • Payload executes after restart |
Best practices and security solutions
Microsoft has already issued a patch for this vulnerability. The company also has .diagcab files blocked by default in Outlook on the web and other places. This means users are less likely to fall into traps involving DogWalk. As mentioned previously, social engineering traps are necessary for DogWalk attacks to be effective, so users must watch out for malicious links and downloaded files.
A multilayered approach can help organizations defend against this and similar attacks using security technologies that can detect malicious components and suspicious behavior.
- Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities through virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails that can serve as entry points.
- Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block suspicious behavior and tools.
- Trend Micro Apex One™ offers automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring endpoint protection.
For a complete list of the Indicators of Compromise, please download this document.