Microsoft RPC Exploit
The Tuesday Microsoft Patch announcement on April 12, 2022, surprised everyone with an RPC exploit. Microsoft RPC Exploit CVE-2022-26809 is a security vulnerability for Microsoft’s Remote Procedure Call Runtime Remote Code Execution. This vulnerability affects any Windows host running Server Message Block protocol (SMB protocol). SMB protocols allow users to share access to files on remote servers, and there are multiple versions of it.
Potential to be Dangerous
According to the Jonathan Grieg article, ‘Experts Warn of Concerns around Microsoft RPC Bug,’ Censys states that 1.3 million+ hosts are running the SMB protocol at the time of the statement. Almost three-quarters of those are Windows-based Operating systems, and the remaining were unidentifiable. “Although it can be exploited remotely, over the network, without any end-user interaction against a listening critical service with full access to the underlying operating system (which makes it quite potentially dangerous), the ports it uses are not normally contactable over the Internet because of built-in Windows defenses and firewalls,” Grimes said.
Patched but not Forgotten
Microsoft has patched this CVE, but anyone who does not normally patch/update can still be vulnerable. Microsoft has listed two mitigations about this here.
- Blocking inbound connections at the firewall that are using TCP port 445,
- Secure Server Message Block traffic.
The latter of the two options can be more labor-intensive. It will require you to periodically check your shares and SMB usage. Luckily, Microsoft has added a script that will assist you in performing this.
While these steps may not eliminate the chance of getting hit by this exploit, they can greatly reduce the chances of this exploit happening to you. If you have not already, patch your systems and close port 445 wherever possible. There is a chance this is never exploited, or there is a chance this could become a big deal. It always pays to be on the safe side of things.
Kyle is an experienced Server Consultant for BreachQuest’s Recovery & Remediation team. He leads the team primarily focusing on remote remediation, including but not limited to learning the client’s infrastructure network architecture. While the onsite team is en route, Kyle rebuilds the client network and acts as a key centralized technical point of contact when multiple locations are involved.