On Microsoft’s Patch Tuesday for April 12, 2022, Microsoft issued a slew of patches including one for a Remote Procedure Call (RPC) Runtime Remote Code Execution (RCE) Vulnerability which is listed as CVE-2022-26809. This CVE holds a CVSS score of 9.8 and is listed as Critical.
The Remote Procedure Call Runtime Remote Code Execution vulnerability is found in Microsoft’s Server Message Block (SMB) functionality. The SMB protocol (ports 135, 139 and 445) is used primarily for file sharing and inter-process communication. RPC is a communication mechanism that allows for one program to request a service or functionality from another program located on the network both internet and/or intranet. RPCs can request a service from a program located in another computer on a network without having to understand the network’s details. RPC is used to call other processes on the remote systems like it was on the local system.
With CVE-2022-26809, an attacker can utilize the vulnerability by creating a specific PRC to execute their malicious code on the remote server. The kicker is that no privileges are required before successfully exploiting the vulnerability. The attacker can be completely unauthorized before the attack, and therefore does not require any access to settings or files to carry out the attack. Furthermore, the vulnerable system can be exploited without any user interaction.
Due to the fact that this exploit does not need user interaction, it is at a greater risk for being wormable. This means that through the exploit, the code could automatically reach out, find other susceptible devices, and self-propagate through the network. This sort of vulnerability also lends itself to providing attackers with the ability to move laterally within a network.
Since RPC services are required for normal business operations at many organizations, it’s not always possible to completely prevent this vulnerability from being exploited, which is why it is important to have other methods of monitoring the network for unauthorized traffic, such as Milton Security’s Threat Hunt team.
No publiclly available POCs exist for this exploit at the time of this blog post, however that doesn’t mean they don’t actually exist. We’ve have been seeing a tremendous amount of scanning from malicious actors throughout our customers, which means there are potential exploits in the wild.
How to Detect if CVE-2022-26809 is Being Exploited
To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server-side with the same permissions as the RPC service.
In order to detect this exploitation, look in your firewall logs that you have stored either in a syslog server or a SIEM, (you do have something storing the logs right?…right!?) for activity on ports 135, 137, 139 and 445 to see if you have traffic crossing your perimeter firewall (of course if you had a Threat Hunting Team from Milton Security you would have already been notified of this).
How to Mitigate Against CVE-2022-26809
Check your firewall settings for incoming and outgoing traffic on ports 135, 137, 139, and 445. There should never been any traffic that crosses your firewall on these ports, so if you see anything suspicious coming across these ports, you should explicitly block those IP addresses and then ensure that those SMB ports are closed.
The most dangerous open ports are wormable ports, like the one that the SMB protocol uses, which are open by default in some operating systems and many organizations rely on these protocols to be able to share files and perform normal business functions.
Microsoft recommends configuring firewall rules to help prevent this vulnerability from being exploited. The static port used (TCP port 445) can be blocked at the enterprise perimeter:
“TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.”
It’s always wise to avoid publicly exposing all SMB ports, including ports 135, 137, 139 as well as 445.
You can also follow Microsoft guidelines to secure SMB traffic found here: Secure SMB Traffic in Windows Server.
As always, Patch. Everything. Keep a list of systems that are in use within your organization and routinely check for updates to avoid exploits of known vulnerabilities.
Finally, you can hire the team of expert Threat Hunters at Milton Security to keep a watchful eye over your network to ensure that no adversaries are getting past your perimeter defenses.
If you want to see how Milton Security can protect your organization and your brand from CVE-2022-26809 and other vulnerabilities, click the button below to sign up for a free 15-day Proof of Value and put our team of expert Threat Hunters to the test.