Microsoft has reported an update for a vulnerability targeting Windows hosts running RPC (Remote Process Call Runtime) used with SMB. This vulnerability has been identified that could allow remote code execution (RCE) over a network without requiring authentication. Hosts running SMB have been found to be vulnerable to this attack. SMB port (445) is the most used and thus the most likely target of an attack. Microsoft’s guide to securing SMB traffic (https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-secure-traffic) should be followed.
Affected Systems
Windows systems.
Solution and CVE/CWE
CVE/CWE: CVE-2022-26809
TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network firewall helps protect systems behind this firewall from attempts to exploit this vulnerability. Additionally, updates found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26809 must be performed. It was also emphasized that they should limit lateral movement by allowing TCP port 445 only on machines where it is needed (domain controllers, printers, file servers, etc.).
Note: Those with a CVSS 3.1 score of 7.0-8.9 out of 10 are considered “high”, and those with 9.0-10.0 are considered “critical” vulnerabilities.
REFERENCE
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26809