1. Summary
| Vulnerability Name | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-34713) |
|---|---|
| Release Time | Aug 10, 2022 |
| Component Name | Microsoft Windows Support Diagnostic Tool (MSDT) |
| Affected Versions | See Section 3 |
| Vulnerability Type | Remote Code Execution |
| Exploit Condition | User Authentication: Not required. Precondition: Default configuration. Trigger Mode: Remote |
| Description | Exploit Difficulty: Low Severity: High. Attackers can perform remote code execution. CVSS Score: 7.8 |
2. CVE-2022-34713 Vulnerability Analysis
2.1 Introduction
Microsoft Windows Support Diagnostic Tool (MSDT) is a service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes.
2.2 Summary
On August 10, 2022, Sangfor FarSight Labs received a notice about a remote code execution vulnerability (CVE-2022-34713) in Microsoft MSDT, classified as high-severity with a CVSS score of 7.8.
CVE-2022-34713, dubbed DogWalk, is a zero-day vulnerability and is actively exploited in the wild.
To exploit this vulnerability, an attacker sends a harmful diagnostic tool (.diagcab) file to a user of a vulnerable system. To lure the targeted user to click on this file, the attacker can employ social engineering techniques, such as spear-phishing emails or watering-hole websites. Once the file has been opened, it writes a malicious executable in C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup. Writing an executable file in this folder will execute it each time the user starts Windows.
3. Affected Versions
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows Server 2022 (Server Core installation)
Windows Server, version 20H2 (Server Core Installation)
4. Solutions
4.1 Microsoft Solution
Microsoft has released a patch for affected OS versions to fix this vulnerability. Please download the patch corresponding to the affected OS from the following link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713
4.2 Sangfor Solution
4.2.1 Security Monitoring
The following Sangfor products and services perform real-time monitoring of assets affected by the Windows MSDT Remote Code Execution vulnerability (CVE-2022-34713):
- Sangfor Cyber Command
- Sangfor Endpoint Secure
- Sangfor Cyber Guardian Detection and Response Service
4.2.2 Security Protection
The following Sangfor products and services provide protection against the Windows MSDT Remote Code Execution vulnerability (CVE-2022-34713):
- Sangfor Next Generation Application Firewall (NGAF)
- Sangfor Endpoint Secure
- Sangfor Cyber Guardian Detection and Response Service
5. Reference
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713
6. Timeline
On Aug 10, 2022, Sangfor FarSight Labs received a notice about the Windows MSDT Remote Code Execution vulnerability (CVE-2022-34713).
On Aug 10, 2022, Sangfor FarSight Labs released a vulnerability alert with remediation solutions.
7. Learn More
Sangfor FarSight Labs Threat Intelligence researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
