Posted on August 10, 2022 at 6:52 PM
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about recently disclosed Windows and UnRAR vulnerabilities that are now exploited in the wild. The agency said one of the flaws, tracked as CVE-2022-30333, is found as a path traversal bug in the Unix versions of UnRAR, which can be exploited when a maliciously designed RAR archive is extracted.
As a result, a threat actor could exploit the vulnerability by dropping arbitrary files on a targeted system. The threat actor can decompress the file of the target system that has the utility installed. The bug was discovered in late June by SonarSource researcher Simon Scannell.
The Exploit Code Of The Bug Is Available In The Wild
Based on the evidence of active exploitation, CISA included two more bugs to the list catalog of Known Exploited Vulnerabilities. The agency gives periodic warnings of vulnerabilities that can be exploited if not patched and applied by the user. The series of warnings help targeted users with information to prevent any attack on their system.
One of the vulnerabilities has stayed more than two years as a zero-day flaw in the Windows Support Diagnostic Tool (MSDT). The agency also revealed that its exploit code is available in the wide.
Both vulnerabilities have been given a high severity score, which makes them highly likely to be exploited and used to attack targeted systems. They have been designated as directory traversal vulnerabilities that can enable a threat actor to plant malware and launch an attack on a system.
Another vulnerability is tracked as CVE-2022-34713 and unofficially referred to as DogWalk. The vulnerability enables a threat actor to plant malicious executables into the Windows Startup folder. Microsoft security researchers Imre Rad initially reported the bug in January 2020. However, the report was dismissed after being classified as not having a security risk at the time.
But this year, the vulnerability resurfaced after cybersecurity researchers j00sean discovered and described its risk levels. He described how a threat actor could cause damage by providing video evidence of how he exploited the bug.
The DoWalk Vulnerability Enables Code Execution
According to the researcher, successful exploitation of the vulnerability requires user interaction. This is a problem that can be surpassed via social engineering in web-based or email attacks.
Microsoft explained that the threat actor could exploit the flaw by delivering the file to the user and convincing them to see what’s in the file. The file is specially designed to convince the user that they are dealing with a genuine firm.
Microsoft noted that as a variant of the Dogwalk flaw, it enables code execution when MSDT is called via the URL protocol from the calling application, generally Microsoft Word.
In a typical web-based attack, a threat actor can host a website that contains a specially crafted file to exploit the vulnerability. In some cases, the attacker can host user-provided content or take advantage of a compromised website to launch their attack.
For most of the affected Windows versions, there is an unofficial patch that has been existing since June. Some users have already applied the update from 0patch micropatching service.
As part of the security updates for Windows in August 2022, Microsoft tried to address the CVE-2022-34713 bug. The tech giant admitted that the flaw has been used in attacks.
unRAR Bug Also Exploited
Microsoft also admitted that the unRAR vulnerability has also been exploited. This bug, tracked as CVE-2022-30333, is known as a path traversal flaw in the UnRAR utility for Unix and Linux systems.
The bug enables the threat actor to use it to plant malicious files on the targeted system or device. A typical exploitation method here is to extract the file to an arbitrary section during the unpack operation.
This vulnerability was revealed by Swiss firm Sonar Source in June. The report described how the flaw could help attackers exploit and target a system. The firm stated that it could be deployed for remote code execution to breach the Zimbra email server without authentication.
The Metasploit penetration testing software added the exploit earlier this month. US federal agencies are expected to apply patches to the two vulnerabilities from the vendors by August 30. The CISA has the responsibility of providing information on any vulnerability that could affect organizations if not correctly fixed. The agency plays a wider role in ensuring that US organizations are safe from the activities of both individual and nation-state threat actors.