ClickySkip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Microsoft Remote Procedure Call vulnerability

By 14 April 2022 April 9th, 2023 CERT, SOC, Vulnerability

This live blog contains information regarding the Microsoft Remote Procedure Call vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on April 14, 2022.

Update April 14, 2022

17:00 | Yesterday we published a blog about the RPC vulnerability in Microsoft Windows, registered as CVE-2022-26809. Since the release of this blog, two changes have occurred.

In the Security Advisory of Microsoft, only exploitation via SMB over TCP port 445 is described. However, the usage of RPC it is not limited to SMB. There are other services/ports that can be used to access RPC. There are strong rumours (not officially confirmed), these services/ports can be used as well to exploit the vulnerability. For example:

  • Direct over TCP via port 135, 49152 – 65535
  • Via HTTP over TCP port 593
  • Via other services, e.g., Microsoft Exchange

Currently there is no evidence that CVE-2022-26809 is being exploited in the wild. However, the release of a patch, often enables attackers to develop exploits by comparing the different versions of files. Based on these analyses, the first detailed posts already have been published. For example, by Akamai. A public exploit for this vulnerability is expected soon.

Call to action

  • Make sure not to publicly expose RPC, for example via:
    • RPC (135, 49152 – 65535)
    • SMB (445)
    • RPC over HTTP (593)
  • Apply the patches provided by Microsoft. As a rule of thumb, you can use the following order:
    • Critical assets, e.g.: Domain Controllers, File servers and Exchange servers
    • Public exposed services
    • Internal client systems

Update April 13, 2022

13:00 | During the patch Tuesday of April 2022, Microsoft released patches for 119 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in the Remote Procedures Call Runtime, registered as CVE-2022-26809. This vulnerability allows an unauthenticated remote attacker to execute code with the same privileges as the RPC service. This service operates in the context of the system user account Network Service.

Tesorion advises to check if your products are listed and apply the required patches or workaround as soon as possible.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Potential risk

The vulnerability CVE-2022-26809 has a CVSS score of 9.8. The CVSS scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact.

This vulnerability is a remote code execution vulnerability and allows an unauthenticated remote attacker to execute code with the same privileges as the RPC service on the affected system. This service operates in the context of the system user account Network Service. The vulnerability allows an attacker to remotely send unauthorized malicious RPC requests to executed code on the affected system. Furthermore it allows an attacker to move laterally through the network. This may allow an attacker to move towards the Domain Controllers, which are usually reachable via port 445 to provide regular services to Clients. This may pose a significant risk.

Detail info

Microsoft has released patches for Windows 7 SP1 and Windows Server 2008 SP2 and later, indicating these versions are affected. It is not clear if older Windows version are vulnerable.

Microsoft published a patch on the 12th of April 2022. It is strongly advised applying this patch as soon as possible. It is recommended to provide Domain Controllers and other critical systems with TCP port 445 exposed with the patch as soon as possible.

As a workaround, TCP port 445 can be blocked on the (host) Firewall. This port is used to establish a connection to the affected component. Blocking this port helps protect systems behind the firewall from attempts to exploit this vulnerability.

Background

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.