| Category:
Vulnerability Intelligence |
Vulnerability Class:
Remote Code Execution |
CVE ID:
CVE-2022-26809 |
CVSS:3.0 Score:
9.8 Critical |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Threat actors discussing the exploit for CVE-2022-26809, an RCE present in the Windows RPC runtime.
- A possibly working exploit is being sold for USD 105.
|
- Access to the device with vulnerable RPC.
- The exploit can be used to execute commands at the same privilege level as the RPC server.
|
- Apply the latest security updates.
- Block traffic to TCP port 445 for services outside the enterprise perimeter.
- Limit the lateral movement by monitoring the input on TCP port 445.
|
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil discovered threat actors talking about the exploit for CVE-2022-26809, on cybercrime forums.
- CVE-2022-26809 is a remote code execution vulnerability present in the core Windows component, Remote Procedure Call (RPC) Runtime.
- The attack does not require authentication and can be executed remotely over a network, resulting in remote code execution (RCE) with the privileges of the RPC service, which depends on the process hosting the RPC runtime.
- The vulnerability can be exploited both from outside the network and between network machines in order to breach it.
[caption id="attachment_20941" align="alignnone" width="1372"]
Screenshot of the conversation on a cybercrime forum[/caption]
Information from OSINT
- Shodan search suggests that there are 1,707,532 publicly exposed machines running RPC.
- A threat actor was seen selling an exploit for the vulnerability on GitHub.
- Credibility of this threat actor cannot be attributed at this time, due to insufficient information.
- Tweets made by threat researchers suggest that an exploit for this CVE is being used in the wild to gain access.
Information from Cybercrime Forums
- A threat actor was selling the exploit for the above vulnerability for USD 105 (in cryptocurrency).
- The actor mentioned that they are willing to sell 25 copies of the exploit.
- 22 copies have already been sold by 18 September 2022.
Impact & Mitigation
| IMPACT |
MITIGATION |
- The exploit gives attackers the power to execute any commands at the same privilege level as the RPC server.
- The RPC server, in many cases, has elevated or SYSTEM level permissions, providing full administrative access to the exploited device.
- The access can be further elevated by lateral movement and/or privilege escalation.
- The alleged access empowers attackers to download, modify data and launch ransomware attacks.
|
- Apply the latest security updates to mitigate these vulnerabilities.
- RPC is required for devices used by the system. It is recommended to block traffic to TCP port 445 for services outside the enterprise perimeter.
- Limit the lateral movement by enabling incoming TCP port 445 only to machines where it is required, such as print servers, domain controllers, file servers, etc.
|
List of Affected Versions
| Windows 7 |
| For 32-bit systems Service Pack 1 |
For x64-based systems Service Pack 1 |
| Windows 8.1 |
| For 32-bit systems |
For Windows RT 8.1 |
| For x64-based systems |
|
| Windows 10 |
| Version 20H2 for ARM64-based systems |
Version 1909 for ARM64-based systems |
| Version 1809 for x64-based systems |
For 32-bit systems |
| Version 21H2 for x64-based systems |
Version 21H2 for ARM64-based systems |
| Version 21H2 for 32-bit systems |
Version 1809 for 32-bit systems |
| Version 21H1 for 32-bit systems |
Version 21H1 for ARM64-based systems |
| Version 21H1 for x64-based systems |
Version 20H2 for 32-bit systems |
| Version 20H2 for x64-based systems |
Version 1607 for x64-based systems |
| Version 1607 for 32-bit systems |
For x64-based systems |
| Version 1909 for x64-based systems |
Version 1909 for 32-bit systems |
| Version 1809 for ARM64-based systems |
|
| Windows 11 |
| For ARM64-based systems |
For x64-based systems |
| Windows Server 2008 |
| R2 for x64-based systems Service Pack 1 (Server Core installation) |
R2 for x64-based systems Service Pack 1 |
| For x64-based systems Service Pack 2 (Server Core installation) |
For x64-based systems Service Pack 2 |
| For 32-bit systems Service Pack 2 (Server Core installation) |
For 32-bit systems Service Pack 2 |
| Windows Server |
| Windows Server 2012 R2 (Server Core installation) |
Windows Server 2012 R2 |
| Windows Server 2012 (Server Core installation) |
Windows Server 2012 |
| Windows Server 2016 |
Windows Server 2016 (Server Core installation) |
| Windows Server, version 20H2 (Server Core Installation) |
Windows Server 2019 (Server Core installation) |
| Windows Server 2019 |
Windows Server 2022 (Server Core installation) |
| Windows Server 2022 |
|
References
Appendix
[caption id="attachment_20942" align="alignnone" width="1072"]
Snippet of the post by a different threat actor advertising their exploit[/caption]
[caption id="attachment_20943" align="alignnone" width="401"]
Screenshot from Shodan depicting 1,707,532 publicly exposed machines running RPC[/caption]
