On patch Tuesday, April 12, 2022, Microsoft released patches for CVE-2022-26809. A vulnerability that is a zero-click exploit targeting Microsoft RPC services. As of right now, there is not a PoC out in the wild. However, the scanning for the vulnerability has increased. Based on the impact of this vulnerability, it is likely that there will be a PoC in the wild soon. Patch your servers now before the PoC come out.
What is RPC?
The Remote Procedure Call (RPC) service is used for standardized communication. Most communication protocols like SMTP, DNS, and HTTP have assigned ports by IANA. When there is communication that there are no ports assigned for that communication. That is where the RPC mechanism is used. Microsoft Remote Procedure Call (MSRPC) allows communication to be transmitted in different ways, for example;
SMB (port 445 TCP or port 139) are the most common. Communication is sent over named pipe writes and then passed to the proper service.
TCP port 135 and high port. The client connects to an endpoint mapper, which will then returns the port number the service uses. After that, another TCP connection is made to the high port, and the message will be transmitted via RPC message.
HTTP port 593 by default. Port 80 and 443 may also be used. This is used when RPC is exposed over the internet. It is nice because TLS can be used for encryption.
RPC Vulnerability
The vulnerability is an integer overflow in Microsoft Remote Procedure Call (MSRPC). When the vulnerability is exploited, it will allow for arbitrary code execution over the network without authentication.
However, the security researchers at Akamai have compared the versions from March (unpatched) to April (Patched). They have discovered that the vulnerability is an integer overflow bug that could lead to a heap buffer overflow.
Mitigation
Apply the patch from patch Tuesday today. Do not wait.
Block inbound traffic to TCP port 445 on the perimeter (should not have this exposed to the internet.)
Block outbound traffic to TCP port 445 at the perimeter.
On the inside, only allow TCP port 445 open on absolutely needed machines.
Follow Microsoft SMB guidelines.
We are here to help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.