Microsoft Announces Fix for RPC CVE-2022-26809

Thursday, April 21, 2022—In their “April 2022 Patch Tuesday”, Microsoft released a fix for the new Windows CVE-2022-26809 vulnerability.  Rated as “Critical”, the 26809 vulnerability could validate unauthorized remote code execution through Microsoft Remote Procedure Call (RPC) communication protocol.  RPC allows a program within a local system to request a service from another program located on a remote network via TCP ports.  The CVE-2022-26809 vulnerability could offer threat actors the opportunity to capitalize on the intercommunication between client and RPC services.

While there is no documentation to date of cyber-attack using vulnerability CVE-2022-26809, JSCM Group authorities feel that it may be just a matter of time.  RPC hosts listen for remote connections over TCP ports, most commonly 445 and 135.  Often, the RPC server may possess elevated or SYSTEM level permissions providing full administrative access to the corrupted device through which cyber criminals could execute commands at the same privilege level as the RPC server.  At this time, it is estimated that there are more than 1.3 million Port 445-equipped devices with exposure to the Internet, representing a massive inventory of targets.

With the potential for global consequence, the 26809 vulnerability is being compared to the 2003 “Blaster” worm and the 2017 Wannacry ransomware attack that exploited the Eternal Blue vulnerability.  While, immediately blocking exposed, at-risk ports may offer protection from external cyber-attack, that may not be enough to evade proliferation of internal network worms.  “Because CVE-2022-26809 can spread laterally through your network,” says JSCM CEO, John Stengel, “ransomware attackers will most certainly be looking for a way to infiltrate your system through this vulnerability.  While blocking ports 445 and 135 at the perimeter can stop external attacks, immediately applying Microsoft’s security patches is a must to defend your system.”  High-level cyber advisors agree that threat actors are likely currently researching ways to take advantage of this vulnerability and may launch attacks in the coming weeks.

Protect your systems immediately.  In addition to blocking ports 445 and 135 at the perimeter, CVE-2022-26809 security patches can be found at https://msrc.microsoft/com/update-guide/vulnerability/CVE-2022-26809.  For further information or assistance in remediating Windows RPC CVE-26809, please contact JSCM Group at JSCMGroup.com or 704.464.4468.