CVE 2022–26809: MS-RPC VULNERABILITY

Intro

Microsoft has fixed a new Windows RPC CVE-2022–26809 vulnerability that is raising concerns among security researchers due to its potential for widespread, significant cyberattacks once an exploit is developed. Therefore, all organization needs to apply Windows security updates as soon as possible.

If exploited, any commands will be executed at the same privilege level as the RPC server, which in many cases has elevated or SYSTEM level permissions, providing full administrative access to the exploited device.

After Microsoft released security updates, security researchers quickly saw the potential for this bug to be exploited in widespread attacks, similar to what we saw with the 2003 Blaster worm and 2017 Wannacry attacks utilizing the Eternal Blue vulnerability.

For example, researchers at Akamai have already tracked the bug down to a heap buffer overflow in the rpcrt4.dll DLL: “This in turn allows data to be written out of the buffer’s bounds, on the heap. When exploited properly, this primitive could lead to remote code execution."

RPC — OVERVIEW

RPC stands for “Remote Procedure Call” and is a technology used for distributed client/server communications between programs. This technology allows applications to send signals to each other to perform an operation.

RPC is used for everyday procedures that happen within Windows environments ranging from authentication, service creation, directory replication, and more.

The RPC protocol provides a method of inter-process communication between a server and client applications. Microsoft supports “service based” protocols by default on Windows. These protocols are services that Microsoft has defined. They are built out for various functionalities, like printer capabilities, directory replication, service creation and more. Many of these protocols use RPC to act as the facilitator and the fulfiller of the communications.

The endpoint mapper is a service that is located on every Windows host and can be seen as epmapper. This service maintains the database of endpoints that clients use to map an interface to endpoints. At runtime, this service is started and acts a director to map client/server communication.

Well Known Microsoft RPC ports:

NOTE: Name pipes can be used to exploit TCP 445 and others (see below)

Protection and Mitigation Actions

• Proper network segmentation:
  not exposing well known RPC ports.
  clients and servers in different subnets.
  blocking inbound conns on TCP = 135 in client subnets.
• RPC Filtering.
• Enabling RPC Logging (big caveat: very noisy). See below for alternatives.

END-POINT TELEMETRY TO KEEP AN EYE ON

• EDR Agent: Wazuh Agent + Sysmon.
• SIEM: Wazuh Stack.

Events:

• Windows Event ID 5156 — The Windows Filtering Platform has permitted a connection.
• Sysmon Event ID = 3 (network connection) where:
  Process = services.exe, lsass.exe….(Identify the RPC Servers you want to start having visibility towards)
  Connection Initiated = False
• Sysmon Event ID = 17 (pipe created) and 18 (pipe connected) where:
  Process = services.exe, lsass.exe….(Identify the RPC Servers you want to start having visibility towards)

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html