August 10, 2022

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of two vulnerabilities exploited in the wild. The flaws have been added to the list of Known Exploited Vulnerabilities based on evidence of active exploitation.

For both vulnerabilities, federal authorities in the U.S. are expected to apply the updates from the vendors by August 30.

The first bug tracked as CVE-2022-34713 is formally referred to as DogWalk, while the second bug tracked as CVE-2022-30333 is a path traversal bug in the UnRAR utility for Linux and Unix systems.

The DogWalk vulnerability (CVE-2022-34713) is a vulnerability in MSDT that allows attackers to place a malicious executable program in the Windows Startup folder. According to Microsoft, successful exploitation requires user interaction that can be bypassed via social engineering, especially in email and web-based attacks.

The UnRAR bug (CVE-2022-30333) found in the UnRAR utility for Linux and Unix systems allows an attacker to use it to place a malicious file on the target system by extracting it to any location during the unpack operation.

For most affected versions of Windows, an unofficial patch for CVE-2022-34713 is available from the opatch micropatching service. Microsoft has also fixed the bug as part of the security updates for Windows released in August 2022.

The sources for this piece include an article in BleepingComputer.