A recently disclosed security vulnerability in a Windows networking component is causing experts to sound the alarm over a possible wave of remote takeover attacks.
Designated CVE-2022-26809, the vulnerability describes an integer overflow error in the Microsoft Remote Procedure Call networking service where an attacker could use a specially crafted RPC request to obtain code execution on the target server. This would, in turn, allow the attacker to achieve a complete remote takeover of the vulnerable machine and a foothold for wider network infiltration.
Microsoft released an update to patch the Windows RPC vulnerability in its April 12 monthly security update, and security experts advised users and administrators to get the fixes in place as soon as possible. While admins can reduce some of their attack service by blocking TCP ports 135 and 445 on internet-facing systems, experts note that this is only a stopgap measure as the flaw could still be exploited from within the network.
In a blog post Wednesday, Akamai Technologies security researchers Ben Barnea and Ophir Harpaz said there is no shortage of potential targets for attackers to choose from at the moment.
"Any Windows machine where port 445 is exposed and the RPC runtime library is not patched is vulnerable," Barnea and Harpaz wrote. "According to Shodan, more than 700,000 Windows machines expose this port to the internet. According to Microsoft, servers that listen on this TCP port are potentially vulnerable."
Word of vulnerabilities in remote access protocols in Windows will no doubt cause many admins and network defenders to have pangs of anxiety. Vulnerabilities in the Windows Remote Desktop Protocol have enabled a number of high-profile attacks in recent years via automated exploit tools.
Dustin Childs, communications manager at Trend Micro's Zero Day Initiative, said that in this case, there is real danger that the Windows RPC bug could be weaponized for automated malware attacks such as a worm.
"Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached," Childs noted. "However, the static port used here (TCP port 135) is typically blocked at the network perimeter. Still, this bug could be used for lateral movement by an attacker. Definitely test and deploy this one quickly."