• WatchTower365

Security Advisory - Remote Procedure Call Runtime Remote Code Execution Vulnerability(CVE-2022-26809


A recent vulnerability Identified by Microsoft in a core windows component (RPC) was given a CVSS 9.8 as it can be exploited without authentication and can be exploited remotely.

What?

CVE-2022-26809 - weakness in a core Windows component (RPC) earned a CVSS score of 9.8 not without a reason, as the attack does not require authentication and can be executed remotely over a network, and can result in remote code execution (RCE) with the privileges of the RPC service, which depends on the process hosting the RPC runtime. That critical bug, with a bit of luck, allows gaining access to unpatched Windows hosts running SMB. The vulnerability can be exploited both from outside the network in order to breach it as well as between machines in the network.


For more information you can refer to the vendor advisories linked below :

  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809

  • https://www.pwndefend.com/2022/04/14/cve-2022-26809/

Below mentioned OS are affected by the above-mentioned vulnerability :

  • Windows 10 Pro Build 10.0.10240 x64

  • Windows 10 Pro Build 10.0.19042 x64

  • Windows 10 Pro Build 10.0.19044 x64

  • Windows Server 2019 x64

  • Windows Server 2022 x64

  • Windows 7 SP3 x64

This list will be updated by Microsoft in the future but for now, it is suspected all systems using a Windows OS and with an open port 445 are affected by this vulnerability.


How?

The CVE stated that the vulnerabilities lie within the Windows RPC runtime, which is implemented in a library named rpcrt4.dll. This runtime library is loaded into both client and server processes utilizing the RPC protocol for communication. We compared versions 10.0.22000.434 (March) and 10.0.22000.613 (patched) and singled out the list of changes.

The functions OSF_SCALL::ProcessResponse and OSF_CCALL::ProcessReceivedPDU are similar in nature; both process RPC packets, but one runs on the server-side and the other on the client-side (SCALL and CCALL). By diffing OSF_SCALL::ProcessReceivedPDU we noticed two code blocks that were added to the new version.


Looking at the patched code, we saw that after QUEUE::PutOnQueue a new function was called. We inspected the new function and diving into its code, we figured out it checks for integer overflows. In other words, the new function in the patch was added to verify that an integer variable remained within an expected value range.


Diving deeper into the vulnerable code in OSF_SCALL: GetCoalescedBuffer, we noticed that the integer overflow bug could lead to a heap buffer overflow, where data is copied onto a too-small buffer to populate it. This allows data to be written out of the buffer’s bounds, on the heap. When exploited, this primitive leads us to remote code execution!

The same call to check for integer overflow was added in other functions as well:

OSF_CCALL::ProcessResponse OSF_SCALL::GetCoalescedBuffer OSF_CCALL::GetCoalescedBuffer


The integer overflow vulnerability and the function that prevents it exists in both client-side and server-side execution flows.

The Fix?

Apply the latest security updates Provided by Microsoft from the link mentioned below:- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809


  • Recommended to block traffic to TCP port 445 for devices outside of the perimeter.

  • Allow incoming TCP port 445 only on machines where it is needed.

  • Make sure the SMB traffic is secure as per the Microsoft guidelines.

You can refer to the guidelines via the link mentioned below:-https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-secure-traffic