Additional information

Microsoft has fixed a new vulnerability in Windows RPC CVE-2022-26809, which has raised concerns among security researchers because of its potential for widespread and significant cyber attacks. Therefore, all organizations should apply Windows security updates as soon as possible. Microsoft addressed the vulnerability as part of an April 2022 patch update, classifying it as “critical” because of the possibility of unauthorized remote code execution through a bug in the Microsoft Remote Procedure Call (RPC) protocol.

The vulnerability is rated critical (9.8 out of 10), if misused, any command runs at the same level as the Remote Procedure Call (RPC) server score, which in many cases has high-level licenses or SYSTEM and provides full management access to the exploited device. The attacker can exploit this vulnerability to infiltrate the system from outside and also between machines in the network for lateral movement.

By examining the security patch provided by Microsoft, it can be concluded that to eliminate this vulnerability in the dynamic library rpcrt4.dll, a piece of code to check the value and prevent integer overflow error in both pieces of code Client (OSF_CCALL:: ProcessResponse) and server (OSF_SCALL:: ProcessReceivedPDU) RPC service added.

Vulnerable versions

All versions of Windows Client (7 to 11)
All versions of Windows Server ‌ (2008 to 2022)

Security recommendations

You can fix this vulnerability by installing the following security patch:

CVE-2022-26809

The main problem is that since this vulnerability is present in rpcrt4.dll, not only Microsoft’s default services but also a variety of third-party applications are affected and vulnerable. So, even if the user only blocks mutual Windows ports (135) and (445), he may still have vulnerable versions in both client/server modes – things like backup agents, antivirus, and even pentest tools that use RPC, etc. Therefore, the best way is to install security patches as soon as possible.