Experts warn about the danger of a bug in Microsoft RPC

Bug in Microsoft RPC
Written by Emma Davis

Many security researchers are concerned about the CVE-2022-26809 vulnerability that Microsoft recently patched in Windows RPC.

The fact is that, according to experts, after the creation and publication of an exploit for this problem, it can be used for large-scale and serious attacks.

The bug was classified as critical and received a score of 9.8 on the CVSS vulnerability rating scale because it allows remote code execution. An issue has been identified in the Microsoft Remote Procedure Call (RPC) protocol, meaning that in the event of a hack, any commands will be executed with the same privilege level as the RPC server, which often has elevated or SYSTEM level privileges, giving full administrative access to the device.

The RPC protocol allows processes to communicate with each other, even if these programs are running on different devices, while RPC hosts “listen” for remote connections on TCP ports, most often on the 445 and 135 ports.

Note: Let me remind you that we also reported that Microsoft released urgent patches that fix bugs in the work of IPSEC and L2TP VPN, and also that For security reasons, Microsoft disabled Macros in Excel 4.0 (XLM).

After the release of the patch, security researchers quickly noticed that this bug could be used in large-scale attacks, as it was in the case with the Blaster worm in 2003 or during the WannaCry ransomware epidemic in 2017.

Experts have already begun to analyse and publish the technical details of the vulnerability, which other experts and attackers in the future can use to create a working exploit. For example, Akamai has already traced the issue to a heap buffer overflow in rpcrt4.dll.

In turn, Sentinel One specialist Antonio Cocomazzi has already successfully exploited the bug on his own RPC server, and not on the built-in Windows service. The good news is that exploitation of the vulnerability seems to require some RPC configuration, although this is still being tested.

Another well-known information security expert, Matthew Hickey, told Bleeping Computer that he is also studying a fresh problem and that it is “as bad as it can be for enterprise Windows systems.”

It is possible that this will become another global WCRY-like incident, depending on how long it takes for attackers to adopt and exploit this vulnerability. I expect attacks using this problem will begin to escalate in the coming weeks. The vulnerable rpcrt4.dll is used not only by Microsoft services, but also by third-party applications, which further increases the possible attack surface.says Hickey
Will Dormann

                      Will Dormann

CERT/CC analyst Will Dormann warns that all administrators should block port 445 on the network perimeter as soon as possible to keep vulnerable servers from being accessible from the Internet. Blocking this port protects devices not only from remote intruders, but also from potential worm attacks that could use the exploit for CVE-2022-26809. According to Dormann, more than 1.3 million devices with open port 445 are currently available on the network, so the choice of targets for attacks is rich.

In this case, it should be kept in mind that even blocking ports 445 and 135 around the entire perimeter may not be enough. Without patching, devices will still be vulnerable to local attackers who can compromise the company’s network.


User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.