April 20, 2022
On Tuesday, 12 April 2022, Microsoft released patches for CVE-2022-26809, reportedly a zero-click exploit targeting Microsoft RPC services. At the time of this publication, there is no proof of this vulnerability being exploited in the wild. However, based on the rating that the exploitation is "more likely" we expect that this won't long be the case.
For most popular services (SMTP, DNS, HTTP, …) we use assigned ports managed by the Internet Assigned Numbers Authority (IANA). But there are common services specific to operating systems that do not have ports assigned by IANA, where the “Remote Procedure Call” (RPC) mechanism is used to standardize communication. Microsoft Remote Procedure Call, or MSRPC, allows for messages to be transmitted in different ways:
The number of hosts exposed on different ports (based on Shodan.io) shows that over 700,000 Microsoft machines appear potentially exposed. Any Windows machine where port 445 is exposed and the RPC runtime library is not patched is vulnerable. According to Microsoft, servers that listen on this TCP port are potentially vulnerable.
An integer overflow in MSRPC that, if exploited, allows for arbitrary code execution over the network without requiring authentication or user interaction.
Security researchers at Akamai have now compared versions 10.0.22000.434 (unpatched, from March) and 10.0.22000.613 (patched, from April) of the RPC runtime library in question within the Windows RPC runtime, which is implemented in a library named rpcrt4.dll — and produced a detailed list of changes.
These reveal that the CVE is an “integer overflow bug [that] could lead to a heap buffer overflow, where data is copied onto a buffer that is too small to populate it”.
Blocking port 445 at the perimeter is the start of mitigation, but not sufficient to help prevent exploitation.
We recommend the following mitigations, based also on Microsoft’s official advisories:
In response to this CVE, our Runecast development team deployed an automated check for the vulnerability in the latest Runecast definitions release, version 188.8.131.52, now available for download. Customers with automatic updates enabled will receive the new definitions during the next update cycle, with offline updates available, as always, through the Runecast customer portal.