Microsoft has fixed a new Windows RPC CVE-2022-26809 vulnerability that is raising concerns among security researchers due to its potential for widespread, significant cyberattacks once an exploit is developed. Therefore, all organization needs to apply Windows security updates as soon as possible.
Microsoft fixed this vulnerability as part of the April 2022 Patch Tuesday updates and rated it as ‘Critical,’ as it allows unauthorized remote code execution through a bug in the Microsoft Remote Procedure Call (RPC) communication protocol.
If exploited, any commands will be executed at the same privilege level as the RPC server, which in many cases has elevated or SYSTEM level permissions, providing full administrative access to the exploited device.
The Microsoft Remote Procedure Call (RPC) protocol is a communication protocol that allows processes to communicate with each other, even if those programs are running on another device.
RPC allows processes on different devices to communicate with each other, with the RPC hosts listening for remote connections over TCP ports, most commonly ports 445 and 135.
CVE-2022-26809 in the crosshairs
After Microsoft released security updates, security researchers quickly saw the potential for this bug to be exploited in widespread attacks, similar to what we saw with the 2003 Blaster worm and 2017 Wannacry attacks utilizing the Eternal Blue vulnerability.
Researchers have already started analyzing and publishing technical details about the vulnerability, which other researchers and threat actors will use to piece together into a workable exploit.
For example, researchers at Akamai have already tracked the bug down to a heap buffer overflow in the rpcrt4.dll DLL.
“Diving deeper into the vulnerable code in OSF_SCALL:GetCoalescedBuffer, we noticed that the integer overflow bug could lead to a heap buffer overflow, where data is copied onto a buffer that is too small to populate it,”Akamai explained in their technical writeup.
“This in turn allows data to be written out of the buffer’s bounds, on the heap. When exploited properly, this primitive could lead to remote code execution.”
Sentinel One researcher Antonio Cocomazzi has also played with the bug and successfully exploited it on a custom RPC server, not a built-in Windows service.
The good news is that it may require a specific RPC configuration to be vulnerable, but that is still being analyzed.
While researchers are still working on figuring out the full technical details of the bug and how to reliably exploit it, security researcher Matthew Hickey, co-founder of Hacker House, has also been playing analyzing the vulnerability.
Hickey told BleepingComputer that it is only a matter of time until an exploit is developed and that it could have the potential for damaging results.
“It’s as bad as it can get for Windows enterprise systems, it is important to stress that people should apply the patch because it can surface in a number of configurations of both client and server RPC services,” Hickey told BleepingComputer in a conversation about the bug.
“This has the potential to be another global event similar to WCRY, depending on how long it takes attackers to weaponize and exploit. I would expect attacks to begin ramping up with this vulnerability in the coming weeks.”
Hickey tells BleepingComputer that the vulnerable DLL, rpcrt4.dll, is not only used by Microsoft services but also by other applications, further increasing the exposure of this vulnerability.
“The main issue is that because its within the rpcrt4.dll there are not just default microsoft services but all manner of third party applications that will be impacted, so even if you just block the common windows ports, you might still have some software that is both vulnerable in client / server mode – things like backup agents, antivirus, endpoint software, even pentest tools that use RPC.”
Will Dormann, a vulnerability analyst at the CERT/CC, warns that all admins must block port 445 at the network perimeter so that vulnerable servers are not exposed to the Internet. By blocking port 445, the devices are not only protected from remote threat actors but also from potential network worms that may utilize the exploit.
Dormann says that at this time there are over 1.3 million devices exposing port 445 to the Internet, offering a massive pool of targets to exploit.
However, blocking port 445 at the perimeter is not enough, as unless security updates are installed, the devices will still be vulnerable internally to threat actors who compromise a network.
As this vulnerability is ideal for spreading laterally in a network, we will almost surely see it used by ransomware gangs in the future.
While it’s not time to panic about this vulnerability, admins need to make patching these devices a priority, as an exploit can be released at any time.
Once an exploit is released, it usually only takes threat actors a short time to weaponize it in attacks.