April Patch Tuesday brings 145 vulnerability fixes from Microsoft — the highest number in 19 months—including CVE-2022-26809, a critical remote code execution (RCE) vulnerability in Windows Remote Procedure Call (RPC) Runtime library that impacts all supported Windows products.
Notably, Microsoft also released security updates for Windows 7, an end-of-life product since January 2020, which highlights the severity of CVE-2022-26809. A threat actor could successfully exploit this vulnerability by sending a specially crafted RPC call to an RPC host. CVE-2022-26809 does not require privileges or user interaction to be exploited, which could make this a wormable vulnerability if the RPC service is accessible.
Back in 2008, millions of devices had been compromised due to CVE-2008-4250 which was similar wormable vulnerability. Furthermore, threat actors have leveraged vulnerabilities in protocols such as Server Message Block (SMB) to deploy ransomware. In 2017, we observed WannaCry, a ransomware that contained a worming component, exploit vulnerabilities in Windows SMBv1 and ultimately spread to more than 200,000 computers.
Active exploitation hasn’t been observed, or a proof-of-concept (PoC) exploit has not been published for this vulnerability. However, it has been foreseen that threat actors will focus their research efforts on developing a working exploit within the near term. Still, the worming capability may take longer to implement. Due to the potential for creating a “wormable exploit,” if it gets available, a variety of threat groups would leverage exploits for CVE-2022-26809 to deploy malicious payloads, such as ransomware, to multiple systems in a target network with RPC accessible.
Recommendations for CVE-2022-26809
Recommendation #1: Apply Applicable Security Updates
Microsoft released security updates for 43 Windows products affected by CVE-2022-26809. We strongly recommend reviewing the published security updates and applying all applicable security updates to impacted products within your environment.
Recommendation #2: Restrict TCP ports 445 at the Perimeter Firewall
Microsoft also advised blocking TCP port 445 at the perimeter firewall to prevent new attacks coming in from the internet. Implementing this type of restriction will also protect against other types of attacks that abuse the RPC and SMB protocols.
- Microsoft Advisory CVE-2022-26809: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
- Zero Day Initiative April 2022 Security Update Review: https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review
- Secure SMB Traffic in Windows Server: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-secure-traffic
- Writing a Secure RPC Client or Server: https://docs.microsoft.com/en-us/windows/win32/rpc/writing-a-secure-rpc-client-or-server
- RPC Security Essentials: https://docs.microsoft.com/en-us/windows/win32/rpc/rpc-security-essentials
- Conficker Worm Targets Microsoft Windows Systems – CVE-2008-4250: https://www.cisa.gov/uscert/ncas/alerts/TA09-088A
- NCCIC ICS WannaCry Fact Sheet: https://www.cisa.gov/uscert/sites/default/files/FactSheets/NCCICICS_FactSheet_WannaCry_Ransomware_S508C.pdf