Close

Get in Touch

Contact us to learn more about our elite cybersecurity services and industry-leading technologies.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Close
Breachquest

Emergency Incident Assistance

Is your network under attack? Get in touch with a
BreachQuest Specialist right away with this form.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

Microsoft RPC Exploit

04.20.22
By: Kyle Posey

The Tuesday Microsoft Patch announcement on April 12, 2022, surprised everyone with an RPC exploit. Microsoft RPC Exploit CVE-2022-26809 is a security vulnerability for Microsoft’s Remote Procedure Call Runtime Remote Code Execution. This vulnerability affects any Windows host running Server Message Block protocol (SMB protocol). SMB protocols allow users to share access to files on remote servers, and there are multiple versions of it.

Potential to be Dangerous

According to the Jonathan Grieg article, ‘Experts Warn of Concerns around Microsoft RPC Bug,’ Censys states that 1.3 million+ hosts are running the SMB protocol at the time of the statement. Almost three-quarters of those are Windows-based Operating systems, and the remaining were unidentifiable. “Although it can be exploited remotely, over the network, without any end-user interaction against a listening critical service with full access to the underlying operating system (which makes it quite potentially dangerous), the ports it uses are not normally contactable over the Internet because of built-in Windows defenses and firewalls,” Grimes said.

Patched but not Forgotten

Microsoft has patched this CVE, but anyone who does not normally patch/update can still be vulnerable. Microsoft has listed two mitigations about this here. There are two mitigation actions that Microsoft has posted.

  • Blocking inbound connections at the firewall that are using TCP port 445,
  • Secure Server Message Block traffic.

The latter of the two options can be more labor-intensive. It will require you to periodically check your shares and SMB usage. Luckily, Microsoft has added a script that will assist you in performing this.

While these steps may not eliminate the chance of getting hit by this exploit, they can greatly reduce the chances of this exploit happening to you. If you have not already, patch your systems and close port 445 wherever possible. There is a chance this is never exploited, or there is a chance this could become a big deal. It always pays to be on the safe side of things.

 

Kyle is an experienced Server Consultant for BreachQuest’s Recovery & Remediation team. He leads the team primarily focusing on remote remediation, including but not limited to learning the client’s infrastructure network architecture. While the onsite team is en route, Kyle rebuilds the client network and acts as a key centralized technical point of contact when multiple locations are involved.

 

Share this article:

Sign up for our newsletter to get more industry news and insights.

Related Insights

04.19.22

Introducing…..Kyle Posey

Read more

04.11.22

Malware can be tricky: HermeticWiper Hidden in Plain Sight

Read more

03.24.22

Windows Virtual Golden Image “Do’s and Don’ts”

Read more