On Tuesday, 12 April 2022, Microsoft released patches for CVE-2022-26809, reportedly a zero-click exploit targeting Microsoft RPC services. At the time of this publication, there is no proof of this vulnerability being exploited in the wild. However, based on the rating that the exploitation is "more likely" we expect that this won't long be the case.
What is RPC
For most popular services (SMTP, DNS, HTTP, …) we use assigned ports managed by the Internet Assigned Numbers Authority (IANA). But there are common services specific to operating systems that do not have ports assigned by IANA, where the “Remote Procedure Call” (RPC) mechanism is used to standardize communication. Microsoft Remote Procedure Call, or MSRPC, allows for messages to be transmitted in different ways:
- SMB (port 445 TCP or port 139) are most common. The commands over SMB are sent as named pipe writes that are then passed to the respective service.
- Via TCP (port 135 TCP and high port). The clients first connect to an endpoint mapper which will return the port number the service uses. Then a second TCP connection to the high port will be transmitting the RPC message.
- Via HTTP (default port 593). This is useful if RPC is exposed over the Internet. TLS can be used for encryption and HTTP may provide additional authentication options. Port 80/443 may be used also.
The number of hosts exposed on different ports (based on Shodan.io) shows that over 700,000 Microsoft machines appear potentially exposed. Any Windows machine where port 445 is exposed and the RPC runtime library is not patched is vulnerable. According to Microsoft, servers that listen on this TCP port are potentially vulnerable.
An integer overflow in MSRPC that, if exploited, allows for arbitrary code execution over the network without requiring authentication or user interaction.
Security researchers at Akamai have now compared versions 10.0.22000.434 (unpatched, from March) and 10.0.22000.613 (patched, from April) of the RPC runtime library in question within the Windows RPC runtime, which is implemented in a library named rpcrt4.dll — and produced a detailed list of changes.
These reveal that the CVE is an “integer overflow bug [that] could lead to a heap buffer overflow, where data is copied onto a buffer that is too small to populate it”.
Impact and mitigation
Blocking port 445 at the perimeter is the start of mitigation, but not sufficient to help prevent exploitation.
We recommend the following mitigations, based also on Microsoft’s official advisories:
- Apply the latest security updates that mitigate these vulnerabilities.
- Although RPC is necessary for services used by the system, it is recommended to block traffic to TCP port 445 for devices outside of the enterprise perimeter.
- Limit lateral movement by allowing incoming TCP port 445 only on machines where it is needed (i.e., domain controllers, print servers, file servers, etc).
In response to this CVE, our Runecast development team deployed an automated check for the vulnerability in the latest Runecast definitions release, version 188.8.131.52, now available for download. Customers with automatic updates enabled will receive the new definitions during the next update cycle, with offline updates available, as always, through the Runecast customer portal.