Three days have passed since Microsoft’s latest Patch Tuesday, and CVE-2022-26809 has emerged as the vulnerability with the most exploitation potential.
It’s easy to see why: it may be exploited by unauthenticated, remote attackers to breach systems and by attackers that already have access to a system and want to hop on others on the same network. It can also be exploited without the vulnerable system’s user doing anything at all (aka “zero-click” exploitation).
CVE-2022-26809 is a remote code execution vulnerability in Microsoft Remote Procedure Call (RPC) runtime and affects a wide variety of Windows and Windows Server versions.
“To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service,” Microsoft said and advised admins to:
- Block TCP port 445 at the enterprise perimeter firewall (but be aware that this does not protects systems from attacks from within the enterprise perimeter), and
- Follow Microsoft’s guidelines to secure SMB traffic.
This mention of SMB is probably what triggered some initial nervousness with security defenders, as it resurfaced bad memories related to the global WannaCry outbreak, which used the EternalBlue exploit to take advantage of vulnerabilities in Microsoft Windows SMB Server.
The infosec community worries about a functional proof-of-concept (PoC) exploit being released publicly soon and making the situation bad for enterprise defenders. There has been some topical online trolling and scam offers, but no PoC yet – and no evidence of covert exploitation.
Mitigation and detection
In the meantime, infosec experts have been augmenting Microsoft’s initial risk mitigation advice with their own:
CVE-2022-26809 Yes, blocking 445 at your network perimeter is necessary but not sufficient to help prevent exploitation.
If by April 2022 you STILL have SMB exposed to the broader internet you've got some soul searching to do.
Now, about those hosts already inside your network… pic.twitter.com/jS8fPrv8E2
— Will Dormann (@wdormann) April 13, 2022
Please remember: Port 445 is just ONE of the ports that may reach #RPC (CVE-2022-26809) on Windows. #MSRPC does Port 135 (and high port) or in some cases HTTP as well. Don't "close some ports" but "only open ports you need open". #allowlist #dontblocklist
— SANS ISC (@sans_isc) April 14, 2022
CVE-2022-26809 has nothing to do with SMB, it's an RPC vuln where a variety of transports can be used, like TCP/135, SMB/445, etc.
But I want to use this opportunity to talk about good techniques to stop an attacker from abusing SMB & the future of SMB security 🧵 /1
— Ned Pyle (@NerdPyle) April 14, 2022
Akamai researchers have shared their own analysis of Microsoft’s patch, which provides additional insight about the origin of the flaw, and Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, published a post summarizing the danger CVE-2022-26809 poses and reiterated that patching is the only real fix for this vulnerability.
“You can’t ‘turn off’ RPC on Windows if you are wondering. It will break stuff. RPC does more than SMB. For example, you can’t move icons on the desktop if you disable RPC (according to a Microsoft help page),” he explained, and noted that exploitation detection may be hard.
“I have no idea when we will see a working exploit, but I hope we will have until next week,” he concluded.