Microsoft has patched a new Windows RPC vulnerability CVE-2022-26809 that is causing concern among security researchers due to its potential for widespread and large cyberattacks once an exploit is developed. Therefore, any organization should apply Windows security updates as soon as possible.
Microsoft addressed this vulnerability as part of the April 2022 Patch Tuesday updates and classified it as “Critical” because it allows unauthorized remote code execution through a bug in the Microsoft communication protocol Remote Procedure Call (RPC).
If exploited, all commands will be executed at the same privilege level as the RPC server, which in many cases has elevated or SYSTEM-level permissions, providing full administrative access to the exploited device.
Microsoft Remote Procedure Call (RPC) is a communication protocol that allows processes to communicate with each other, even if those programs are running on another device.
RPC allows processes on different devices to communicate with each other, with RPC hosts listening for remote connections on TCP ports, most commonly ports 445 and 135.
CVE-2022-26809 in the crosshairs
After Microsoft released security updates, security researchers quickly saw the potential for this bug to be exploited in widespread attacks, similar to what we saw with the 2003 Blaster worm and the 2017 Wannacry attacks using the Eternal Blue vulnerability.
Researchers have already begun analyzing and publishing technical details about the vulnerability, which other researchers and threat actors will use to piece together an exploitable exploit.
For example, Akamai researchers have already identified the bug down to a buffer overflow in the rpcrt4.dll DLL.
“Digging deeper into the vulnerable code in OSF_SCALL:GetCoalescedBuffer, we noticed that the integer overflow bug could lead to a heap buffer overflow, where data is copied to a buffer too small to fill,” Akamai explained in its technical writing.
“This in turn allows data to be written out of buffer bounds, on the heap. When exploited correctly, this primitive can lead to remote code execution.”
Sentinel One researcher Antonio Cocomazzi also played around with the bug and successfully exploited it on a custom RPC server, not an embedded Windows service.
The good news is that it may require a specific RPC configuration to be vulnerable, but this is still being investigated.
While researchers are still working to figure out all the technical details of the bug and how to reliably exploit it, the security researcher Matthew Hickeyco-founder of Hacker House, also had fun analyzing the vulnerability.
Hickey told BleepingComputer that it’s only a matter of time before an exploit is developed that could have damaging results.
“This is as bad as it gets for Windows enterprise systems, it’s important to stress that people should apply the patch as it can show up in a number of client and server RPC service configurations,” Hickey told BleepingComputer in a conversation about the insect.
“This has the potential to be another world event similar to WCRY, depending on how long it takes for attackers to arm and exploit. I expect attacks to start escalating with this vulnerability in the weeks coming.”
Hickey tells BleepingComputer that the vulnerable DLL, rpcrt4.dll, is not only used by Microsoft services but also by other applications, further increasing the exposure of this vulnerability.
“The main problem is that because in rpcrt4.dll there are not just default Microsoft services, but all sorts of third-party applications that will be affected, so even if you just block common Windows ports, you could still have software that is both vulnerable in client/server mode – things like backup agents, antivirus, endpoint software, even slope testing tools that use RPC.”
Will Dormann, vulnerability analyst at CERT/CC, warns that all administrators should block port 445 at the network perimeter so that vulnerable servers are not exposed to the Internet. By blocking port 445, devices are not only protected from remote malicious actors, but also from potential network worms that could use the exploit.
However, unless security updates are installed, devices will still be internally vulnerable to threat actors who compromise a network.
As this vulnerability is ideal for spreading laterally in a network, we will almost surely see it used by ransomware gangs in the future.
While now is not the time to panic about this vulnerability, administrators should make patching these devices a priority, as an exploit could be released at any time.
Once an exploit is released, it usually takes little time for threat actors to weaponize it in attacks.