Remote Procedure Call Runtime Remote Code Execution Vulnerability CVE-2022-26809
Every 2nd Tuesday of every month Microsoft releases security updates for its windows operating system, dubbed “Patch Tuesday”.
And this past Tuesday, pun intended, the 12th of April 2022, a number of updates were released that should have you concerned. Here’s why
Of the 128 vulnerability fixes released, a significant number (10) have a CVSS score of 9.8 (10 being critical) but among the scariest are the ones that allow for privilege escalation. Two of those do exactly just that and a number of them don’t even require active human input. This article however will focus on the CVE-2022-26809.
Pwndefend has done the following summary:
Kenya has not been left out and below is a screen shot of the number of organizations that could be exposed to this vulnerability.
You can read all about these patches herehttps://msrc.microsoft.com/update-guide/
. . .
How the CVE-2022-26809 vulnerability occurs
The CVE-2022-26809 – exploits the smb functionality that is used for file sharing, the widely used rpc component for inter-process communication in windows and is “wormable” (no human intervention required to run active exploits”)
Since the vulnerability makes use of the inter-process communication of remote procedure calls (RPC) an attacker would craft an RPC service to execute code with the same permissions as a native RPC service on the host server. To make it even more dangerous they could program the service to move laterally through the network, not only exploiting the services but also SMB that contains raw user data.
What makes the CVE-2022-26809 so critical is that it affects the entire windows OS stack right from windows 7 onwards, it also has very low mitigating factors making the likelihood of occurrence more often than not.
Remember Eternal blue? If not check out this link: https://yelbridges.co.ke/eternal-blue-exploitation-walkthrough/
Mitigation and Prevention
According to Microsoft to patch this vulnerability the 445, 139 ports should be blocked on the network perimeter firewall. TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. However, the efficacy of this is limited for organization’s that actively use these ports. To bolster this, organizations should have active monitoring in place and have security configurations that protect core windows functionality.
To learn more about this vulnerability check out : https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26809.
. . .
Other vulnerabilities to note
Other vulnerabilities addressed in patch Tuesday are: –
- CVE-2022-24491 and CVE-2022-24497 – these focus on Remote Code Execution (RCE) on the windows Network File Sysem(NFS) and are considered “wormable” as well. An attacker could craft a special NFS message protocol send it to the affected vulnerable system and have a full-blown remote code execution with the possibility of administrator privileges.
==>To patch this vulnerability sys admins are advised to run the newly released NFS patch as well as configure the network perimeter firewall to block inbound requests.
- CVE -2022-24521– this exploits the windows Common log file driver to achieve privilege escalation (although not its broadly available but actively targeted, according to the National Security Agency NSA). Patches for the log file system driver have been released since September of 2021 and that explains why attackers have actively targeted it.
==>Patching these vulnerabilities require you to have windows security updates set to on for the updates to be incorporated into the system, however if for some reason, the updates aren’t automatic, you could run a manual update by doing the following: –
- Open Start ⇒ Settings ⇒ Update & Security ⇒ Windows Update (Windows 10)
- Should there be a new patch it will show on screen
- Follow the instructions displayed
- Restart your machine for the updates to take effect.
. . .
It is always advisable to wait a few days after a patch has been released to avoid any problems that may come with that update also consider backing up your critical files before applying any updates.
Also, having a team that is looking into your security is key, we understand that its not always this skill is within your reach, so you can consider managed security services where someone external looks into your security like Yelbridges. Monitoring solutions are key and so are vulnerability patching mechanisms. Having a MSSP that understands your needs is key.
As we draw to a close Microsoft has also announced an upcoming release of windows autopatch, a Microsoft managed service, that will see windows services automatically patched as soon as updates are available. This should be out later on in July 2022 so be sure to keep an eye out for that.
. . .