Threat Advisory: Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2022-26809)

Threat

Remote Code Execution through Microsoft RPC

Vulnerability

Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2022-26809)

  • CVSS – 9.8 CRITICAL
  • Vulnerability Publication Date – 4/12/2022
  • Exploits Available – Most Likely

Description

Of the 128 vulnerabilities in Microsoft’s April patch, 10 have a critical severity but CVE-2022-26809 is raising the most concern. The vulnerability affects windows hosts running Remote Procedure Call Runtime (RPC)2. Server Message Block (SMB)3 protocol is commonly used in conjunction with RPC, causing TCP port 445 a likely attack vector.

This vulnerability can result in remote code execution and allows for self-propagating exploits. WORMs require no user interaction to spread throughout a company’s network. There is little information currently to determine if this vulnerability is being actively exploited, but with the potential to spread, it would only seem a matter of time before it is used in attacks.

Recommendations / Remediation

Contact FortifyData for a demonstration and discussion on how we can identify this vulnerability through our internal risk assessment.

Block TCP port 445 at the enterprise perimeter firewall4

Install KB5012666: Windows Server 2012 Security Update (April 2022)

**These are generalized recommendations that may not be effective for all organizations and environments. **

References

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26809
  2. https://docs.microsoft.com/en-us/windows/win32/rpc/rpc-start-page
  3. https://docs.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview#:~:text=The%20Server%20Message%20Block%20(SMB,is%20a%20dialect%20of%20SMB.
  4. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
More content