CVE 2022–26809: MS-RPC VULNERABILITY

Intro

Microsoft has fixed a new Windows RPC CVE-2022–26809 vulnerability that is raising concerns among security researchers due to its potential for widespread, significant cyberattacks once an exploit is developed. Therefore, all organization needs to apply Windows security updates as soon as possible.

RPC — OVERVIEW

RPC stands for “Remote Procedure Call” and is a technology used for distributed client/server communications between programs. This technology allows applications to send signals to each other to perform an operation.

Protection and Mitigation Actions

  • Proper network segmentation:
    not exposing well known RPC ports.
    clients and servers in different subnets.
    blocking inbound conns on TCP = 135 in client subnets.
  • RPC Filtering.
  • Enabling RPC Logging (big caveat: very noisy). See below for alternatives.

END-POINT TELEMETRY TO KEEP AN EYE ON

  • EDR Agent: Wazuh Agent + Sysmon.
  • SIEM: Wazuh Stack.
  • Sysmon Event ID = 3 (network connection) where:
    Process = services.exe, lsass.exe….(Identify the RPC Servers you want to start having visibility towards)
    Connection Initiated = False
  • Sysmon Event ID = 17 (pipe created) and 18 (pipe connected) where:
    Process = services.exe, lsass.exe….(Identify the RPC Servers you want to start having visibility towards)

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).