The Windows DogWalk vulnerability (CVE-2022-34713) presents a prime reminder of why a proactive approach to endpoint security is so important. While the DogWalk remote code execution (RCE) vulnerability was first identified and reported to Microsoft in January 2020 by Imre Rad, Microsoft did not view it as a security issue. It wasn’t until reports surfaced of the DogWalk zero day being exploited in the wild, coupled with the escalation of the recently publicized Microsoft Follina vulnerability—another issue within the Microsoft's Diagnostic Tool (MSDT)—that Microsoft finally took action and issued a patch as part of their August 2022 Patch Tuesday update.
This blog will discuss the DogWalk vulnerability and how organizations can proactively protect themselves from such vulnerabilities and other threats with endpoint privilege management.
What is the Windows DogWalk vulnerability?
The Windows DogWalk vulnerability is due to a weakness in the path traversal code in MSDT, more specifically the sdiageng.dll, which assumes that an attacker supplied folder path is a valid Windows filename. This allows an attacker to craft a diagcab file that points to a folder on a remote WebDAV server. This folder hosts a malicious file name:
Because of the way MSDT handles this, it will copy the malicious executable to:
As a startup folder this causes the dropped executable to execute on user log in. While users and security tools are fairly accustomed to blocking suspicious exe files, this isn’t the case with digcab files. In fact, researchers discovered that these could be delivered as a drive by download as browsers did not view this as a potential threat in the same way as directly delivering the exe file. This provides three advantages to the attacker:
- Simplified delivery of the payload to the targeted victim
- Increased likelihood of evading detection
- Bypass the “Mark of the Web” controls
- A straightforward way to gain both code execution and persistence
What has been particularly controversial with this “bug” is this was initially dismissed as not a security issue by Microsoft, and it sat unaddressed more than two years after security researcher Imre Rad reported it!
How can BeyondTrust help mitigate the DogWalk vulnerability?
BeyondTrust Privilege Management for Windows pairs powerful least privilege management and application control capabilities to provide preventative endpoint security. Here’s how the solution can provide proactive protection against DogWalk, as well as many other types of cyber threats.
1. Removes admin rights and enforces true least privilege (just-enough access + just-in-time access): Most malware and other cyberattacks require privileges to execute or to gain lateral movement—exploits leveraging the DogWalk vulnerability are no different. An attacker’s code will only execute within the context of the targeted user. Therefore, a standard user with fewer privileges presents far less risk than a local admin user. This is just another conspicuous reminder of the cyber-protection power conferred by implementing the principle of least privilege (PoLP). Attackers often rely on easy access to admin privileges to dump credentials, disable security controls, and move to other systems.
2. Applies advanced application control: Application control can thwart the attacker’s ability to execute payloads or exploitable applications. For the DogWalk exploit to succeed, the attacker must run the executable dropped to disk. This attack step can be disrupted by implementing a robust application control policy. For example, in our solution’s Quick Start Low Flex template, an unapproved executable launching from a user writable location would be blocked and challenged by default. Admins can also configure the Privilege Management for Windows product to block execution and raise events when applications are attempting to launch from start-up or other commonly abused folder locations.
3. A combination of both Privilege Management and Application Control can be highly effective at preventing an attacker from leveraging other tools on the system and ‘living off the land’ / fileless threats. For example, BeyondTrust can prevent an attacker using or elevating commonly abused tools like PowerShell as part of their attack chains, while still allowing the user to access them using secure desktop messaging prompts, MFA challenges, or other flexible configuration options. Meaning you can get back to enjoying dog walks!
To learn more about the Microsoft vulnerabilities landscape, including research-backed tips on best practices for mitigation, and expert commentary, be sure to check out the latest edition of our annual Microsoft Vulnerabilities Report (2022).
James Maude, Lead Cyber Security Researcher
James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.