CVE-2022-26809

FAQ

How could an attacker exploit this vulnerability?

To exploit this vulnerability, an unauthenticated attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.

Why did Microsoft remove the Mitigation to “Block TCP port 445 at the enterprise perimeter firewall”?

The researcher who submitted the vulnerability used SMB as the attack vector to trigger the exploit in the RPC service, so the mitigation was effective for the issue that was presented to us. Although blocking ports 139 and 445 [SMB] at the perimeter firewall is a recommended practice, it does not directly protect against all potential attack scenarios for this specific vulnerability. At this time we are not aware of any other specific attack vectors for this vulnerability, and continue to encourage users to:

• Apply the April 2022 security updates to fully address this issue.
• Follow Microsoft guidelines to secure SMB traffic. See Secure SMB Traffic in Windows Server.

The vulnerability is in RPC, not SMB. Should I also block RPC?

The known attack that was presented to Microsoft does not use TCP Port 135 to initiate an exploit but, as the vulnerability is in RPC, blocking TCP port 135 at the enterprise perimeter firewall is a recommended best practice that would reduce the likelihood of other potential attacks against this vulnerability.