Exploit for CVE-2022-26809, an RCE Vulnerability in Windows RPC

Summary

Threat actors discussing the exploit for CVE-2022-26809, an RCE present in the Windows RPC runtime.
 
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-26809 CVSS:3.0 Score: 9.8 Critical

Executive Summary

THREAT IMPACT MITIGATION
  • Threat actors discussing the exploit for CVE-2022-26809, an RCE present in the Windows RPC runtime.
  • A possibly working exploit is being sold for USD 105.
  • Access to the device with vulnerable RPC.
  • The exploit can be used to execute commands at the same privilege level as the RPC server.
  • Apply the latest security updates.
  • Block traffic to TCP port 445 for services outside the enterprise perimeter.
  • Limit the lateral movement by monitoring the input on TCP port 445.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered threat actors talking about the exploit for CVE-2022-26809, on cybercrime forums.
  • CVE-2022-26809 is a remote code execution vulnerability present in the core Windows component, Remote Procedure Call (RPC) Runtime.
  • The attack does not require authentication and can be executed remotely over a network, resulting in remote code execution (RCE) with the privileges of the RPC service, which depends on the process hosting the RPC runtime.
  • The vulnerability can be exploited both from outside the network and between network machines in order to breach it.
Screenshot of the conversation on a cybercrime forum
Screenshot of the conversation on a cybercrime forum

Information from OSINT

  • Shodan search suggests that there are 1,707,532 publicly exposed machines running RPC.
  • A threat actor was seen selling an exploit for the vulnerability on GitHub.
  • Credibility of this threat actor cannot be attributed at this time, due to insufficient information.
  • Tweets made by threat researchers suggest that an exploit for this CVE is being used in the wild to gain access.

Information from Cybercrime Forums

  • A threat actor was selling the exploit for the above vulnerability for USD 105 (in cryptocurrency).
  • The actor mentioned that they are willing to sell 25 copies of the exploit.
  • 22 copies have already been sold by 18 September 2022.

Impact & Mitigation

IMPACT MITIGATION
  • The exploit gives attackers the power to execute any commands at the same privilege level as the RPC server.
  • The RPC server, in many cases, has elevated or SYSTEM level permissions, providing full administrative access to the exploited device.
  • The access can be further elevated by lateral movement and/or privilege escalation.
  • The alleged access empowers attackers to download, modify data and launch ransomware attacks.
  • Apply the latest security updates to mitigate these vulnerabilities.
  • RPC is required for devices used by the system. It is recommended to block traffic to TCP port 445 for services outside the enterprise perimeter.
  • Limit the lateral movement by enabling incoming TCP port 445 only to machines where it is required, such as print servers, domain controllers, file servers, etc.

List of Affected Versions

Windows 7
For 32-bit systems Service Pack 1 For x64-based systems Service Pack 1
Windows 8.1
For 32-bit systems For Windows RT 8.1
For x64-based systems
Windows 10
Version 20H2 for ARM64-based systems Version 1909 for ARM64-based systems
Version 1809 for x64-based systems For 32-bit systems
Version 21H2 for x64-based systems Version 21H2 for ARM64-based systems
Version 21H2 for 32-bit systems Version 1809 for 32-bit systems
Version 21H1 for 32-bit systems Version 21H1 for ARM64-based systems
Version 21H1 for x64-based systems Version 20H2 for 32-bit systems
Version 20H2 for x64-based systems Version 1607 for x64-based systems
Version 1607 for 32-bit systems For x64-based systems
Version 1909 for x64-based systems Version 1909 for 32-bit systems
Version 1809 for ARM64-based systems
Windows 11
For ARM64-based systems For x64-based systems
Windows Server 2008
R2 for x64-based systems Service Pack 1 (Server Core installation) R2 for x64-based systems Service Pack 1
For x64-based systems Service Pack 2 (Server Core installation) For x64-based systems Service Pack 2
For 32-bit systems Service Pack 2 (Server Core installation) For 32-bit systems Service Pack 2
Windows Server
Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2
Windows Server 2012 (Server Core installation) Windows Server 2012
Windows Server 2016 Windows Server 2016 (Server Core installation)
Windows Server, version 20H2 (Server Core Installation) Windows Server 2019 (Server Core installation)
Windows Server 2019 Windows Server 2022 (Server Core installation)
Windows Server 2022

References

Appendix

Snippet of the post by a different threat actor advertising their exploit
Snippet of the post by a different threat actor advertising their exploit
 
Screenshot from Shodan depicting 1,707,532 publicly exposed machines running RPC
Screenshot from Shodan depicting 1,707,532 publicly exposed machines running RPC
   

Table of Contents

Request an easy and customized demo for free