Critical vulnerability relating to the remote procedure call (RPC) protocol

Home / Threat Intelligence bulletins / Critical vulnerability relating to the remote procedure call (RPC) protocol

Overview

CVE-2022-26809 is a critical vulnerability that was released in the April 2022 patch release from Microsoft and affects multiple Microsoft operating systems and specifically relates to the remote procedure call (RPC) protocol. Whilst this vulnerability targets the RPC protocol, exploitation can also target the Server Message Block (SMB) protocol in order to trigger the vulnerability.

Impact

A threat actor may be able to remotely execute code on an affected system. This code will subsequently run with the same level of privilege as the RPC protocol. Exploitation of this vulnerability can be achieved without the need for authentication.

Affected Products

All current Windows operating systems.

Vulnerability Detection

  1. Check to see if the latest Security/Cumulative updates for April 2022 have been applied via patch management tools or manually on the asset
  2. Review firewall configurations to see if you are presenting any of the following ports: • SMB (Port 445 TCP, or port 139) is probably the most common mechanism. The commands over SMB are sent as named pipe writes that are then passed to the respective service • via TCP (Port 135 TCP and high ports): This mechanism is similar to SUN RPC. The client will first connect to an endpoint mapper (Port 135 for MSRPC, Port 111 for SUN RPC). The endpoint mapper will return the port number the service uses. You will see a second TCP connection to the high port transmitting the RPC message • via HTTP (default port 593): This is particularly useful if RPC is exposed over the internet. TLS can be used for encryption, and HTTP may provide additional authentication options. Port 80/443 may be used as well.

Containment, Mitigations & Remediations

  1. Apply the latest MS Security patches for April 2022
  2. Review open ports on the perimeter and close any that are not used
  3. Limit lateral movement by allowing incoming TCP port 445 only on authorised machines.

Indicators of Compromise

There are currently no IOCs provided for this exploit despite it having been seen in the wild as of 18th April 2022.

Threat Landscape

Whilst no public proof of concept exploitation code for this vulnerability is present at the time of writing, it is expected that mass exploitation of this vulnerability will occur due to the widespread nature of this affecting all versions of Windows within a core component of the Windows operating system stack.

Mitre Methodologies

T1021.002 (SMB/Windows Admin Shares)

T1190 – (Exploit Public-Facing Application)

T1068 – (Exploitation for Privilege Escalation)

T1203 – (Exploitation for Client Execution)

Further Information

Akamai Blog | Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime
CVE-2022-26809 – Security Update Guide – Microsoft – Remote Procedure Call Runtime Remote Code Execution Vulnerability