CVE-2022-26809: Microsoft RPC Remote Code Execution

Introduction

On April 12th, 2022, Microsoft announced a fix for a vulnerability targeting Windows hosts running the Remote Procedure Call Runtime (RPC) commonly used with Windows SMB. This vulnerability has been given a CVSS score of 9.8 (critical) as the attack does not require authentication and can be executed remotely over a network, and can result in remote code execution (RCE).

The vulnerability was assigned CVE-2022-26809, and administrators can find more information on Microsoft’s MSRC. Details on the exact vulnerability are currently fuzzy as bad actors may use this information to create a wormable exploit if too much information is divulged to the public. We know that Windows hosts running SMB are vulnerable to this attack, and host owners should follow Microsoft’s guide to securing SMB traffic in Windows. While it seems the vulnerability exists in any service that utilizes the Microsoft RPC mechanisms, SMB (port 445) is the most used and, thus, the most likely target of an attack.

A Censys View

Censys data shows that as of April 13th, 2022, 1,304,288 hosts are running the SMB protocol, 824,011 (63%) of which were identified as running a Windows-based operating system. Readers should note that Censys could not determine the running OS for approximately 369,485 (28%) hosts running SMB.

• Censys SMB Search:
  •  services.service_name=SMB
• Censys SMB Search (Microsoft products only):
  • (services.service_name=SMB) and services.software.vendor: “microsoft”

Top Five Countries Running SMB

Top Five Autonomous Systems Running SMB

For Censys Customers

A risk for exposed SMB services already exists for Censys ASM customers, but in light of this vulnerability, we have increased the criticality from “high” to “critical” along with a note about this CVE.

Updates

Censys will continue to monitor this issue, and update this post accordingly.