Microsoft Released Advisory on a Critical Remote Code Execution Vulnerability in RPC (CVE-2022-26809)

Description

FortiGuard Labs is aware that Microsoft released a patch and advisory for a critical remote code execution vulnerability in Remote Procedure Call Runtime Library as part of the April Patch Tuesday. Assigned CVE-2022-26809 and a CVSS score of 9.8, successfully exploiting the vulnerability allows an attacker to execute remote code with high privileges on a vulnerable system, leading to a full compromise.


Why is this Significant?
This is significant because CVE-2022-26809 is rated by Microsoft as "critical" and "Exploitation More Likely" because of its impacts on all supported Windows products and due to the trivial nature of the vulnerability. Because of the potential impact that the vulnerability has, Microsoft released security updates for Windows 7, which reached end-of-life in January 2020. Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory urging users and administrators to apply the patch or apply the recommended mitigations.


What is CVE-2022-26809?
CVE-2022-26809 is a critical remote code execution vulnerability in Remote Procedure Call Runtime Library. The Microsoft advisory states "To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service," which allows the attacker to take control of an affected system.


Is CVE-2022-26809 being Exploited in the Wild?
At the time of this writing, the vulnerability is not reported nor observed to have been exploited in the wild.


Has Microsoft Released a Patch for CVE-2022-26809?
Yes, Microsoft released a patch on April 12th, 2022 as part of the April MS Tuesday. Due to the potential impact the vulnerability has, Microsoft also released security updates for Windows 7, which is no longer supported.


What is the Status of Coverage?
FortiGuard Labs has released the following IPS signature in version 20.297:


MS.Windows.RPC.CVE-2022-26809.Remote.Code.Execution (default action is set to pass)


What Mitigation Steps are Available?
Microsoft has provided the following mitigation steps in the advisory:


Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:


1. Block TCP port 445 at the enterprise perimeter firewall


TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.


2. Follow Microsoft guidelines to secure SMB traffic


For the Microsoft guidelines on how to secure SMB traffic, see the Appendix for a link to "Secure SMB Traffic in Windows Server".

description-logoOutbreak Alert

This vulnerability is a critical remote code execution vulnerability in Remote Procedure Call Runtime Library. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system.

View the full Outbreak Alert Report