Threat
Remote Code Execution through Microsoft RPC
Vulnerability
Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2022-26809)1
- CVSS – 9.8 CRITICAL
- Vulnerability Publication Date – 4/12/2022
- Exploits Available – Most Likely
Description
Of the 128 vulnerabilities in Microsoft’s April patch, 10 have a critical severity but CVE-2022-26809 is raising the most concern. The vulnerability affects windows hosts running Remote Procedure Call Runtime (RPC)2. Server Message Block (SMB)3 protocol is commonly used in conjunction with RPC, causing TCP port 445 a likely attack vector.
This vulnerability can result in remote code execution and allows for self-propagating exploits. WORMs require no user interaction to spread throughout a company’s network. There is little information currently to determine if this vulnerability is being actively exploited, but with the potential to spread, it would only seem a matter of time before it is used in attacks.
Recommendations / Remediation
Contact FortifyData for a demonstration and discussion on how we can identify this vulnerability through our internal risk assessment.
Block TCP port 445 at the enterprise perimeter firewall4
Install KB5012666: Windows Server 2012 Security Update (April 2022)
**These are generalized recommendations that may not be effective for all organizations and environments. **
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26809
- https://docs.microsoft.com/en-us/windows/win32/rpc/rpc-start-page
- https://docs.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview#:~:text=The%20Server%20Message%20Block%20(SMB,is%20a%20dialect%20of%20SMB.
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809