Threat Signal Report

Microsoft Released Advisory on a Critical Remote Code Execution Vulnerability in RPC (CVE-2022-26809)

description-logo Description

FortiGuard Labs is aware that Microsoft released a patch and advisory for a critical remote code execution vulnerability in Remote Procedure Call Runtime Library as part of the April Patch Tuesday. Assigned CVE-2022-26809 and a CVSS score of 9.8, successfully exploiting the vulnerability allows an attacker to execute remote code with high privileges on a vulnerable system, leading to a full compromise.


Why is this Significant?
This is significant because CVE-2022-26809 is rated by Microsoft as "critical" and "Exploitation More Likely" because of its impacts on all supported Windows products and due to the trivial nature of the vulnerability. Because of the potential impact that the vulnerability has, Microsoft released security updates for Windows 7, which reached end-of-life in January 2020. Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory urging users and administrators to apply the patch or apply the recommended mitigations.


What is CVE-2022-26809?
CVE-2022-26809 is a critical remote code execution vulnerability in Remote Procedure Call Runtime Library. The Microsoft advisory states "To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service," which allows the attacker to take control of an affected system.


Is CVE-2022-26809 being Exploited in the Wild?
At the time of this writing, the vulnerability is not reported nor observed to have been exploited in the wild.


Has Microsoft Released a Patch for CVE-2022-26809?
Yes, Microsoft released a patch on April 12th, 2022 as part of the April MS Tuesday. Due to the potential impact the vulnerability has, Microsoft also released security updates for Windows 7, which is no longer supported.


What is the Status of Coverage?
FortiGuard Labs has released the following IPS signature in version 20.297:


MS.Windows.RPC.CVE-2022-26809.Remote.Code.Execution (default action is set to pass)


What Mitigation Steps are Available?
Microsoft has provided the following mitigation steps in the advisory:


Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:


1. Block TCP port 445 at the enterprise perimeter firewall


TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.


2. Follow Microsoft guidelines to secure SMB traffic


For the Microsoft guidelines on how to secure SMB traffic, see the Appendix for a link to "Secure SMB Traffic in Windows Server".


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.