Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime

Written by: Ben Barnea and Ophir Harpaz

As shown in the table, CVE-2022-26809 is a zero-click bug which requires no interaction to be exploited. For this reason, it scored the highest on the Common Vulnerability Scoring System (CVSS) — 9.8 out of 10 — indicating the high severity of the vulnerability, as well as the likeliness of attackers rushing to exploit it.

Who is vulnerable?

Any Windows machine where port 445 is exposed and the RPC runtime library is not patched is vulnerable. According to Shodan, more than 700,000 Windows machines expose this port to the internet. According to Microsoft, servers that listen on this TCP port are potentially vulnerable.

Locating and understanding the vulnerabilities

The CVE stated that the vulnerabilities lie within the Windows RPC runtime, which is implemented in a library named rpcrt4.dll. This runtime library is loaded into both client and server processes utilizing the RPC protocol for communication.

We compared versions 10.0.22000.434 (unpatched, from March 2022) and 10.0.22000.613 (patched, from April 2022) and produced the following list of changes in various functions:

The functions OSF_CCALL::ProcessResponse and OSF_SCALL::ProcessReceivedPDU caught our eye. The two functions are similar in nature; both process RPC packets, but one runs on the client side and the other on the server side (CCALL and SCALL stand for client call and server call, respectively). We went on to diff OSF_SCALL::ProcessReceivedPDU, and noticed two code blocks that were added to the new version.

Looking at the fixed code, we saw that a new function was called after QUEUE::PutOnQueue. Zooming in on the new function and inspecting its code, we figured out it checks for integer overflows. Namely, the new function was added to verify that an integer variable remained within an expected value range.

Diving deeper into the vulnerable code in OSF_SCALL:GetCoalescedBuffer, we noticed that the integer overflow bug could lead to a heap buffer overflow, where data is copied onto a buffer that is too small to populate it. This, in turn, allows data to be written out of the buffer’s bounds, on the heap. When exploited properly, this primitive could lead to remote code execution.

A similar call to check for integer overflow was added in other functions as well:

• OSF_CCALL::ProcessResponse

• OSF_SCALL::GetCoalescedBuffer

• OSF_CCALL::GetCoalescedBuffer

The integer overflow vulnerability and the function that prevents it exist in both client-side and server-side execution flows. 

Mitigation

Although RPC uses several security controls and mechanisms (security callbacks, 

We recommend the following mitigations, based also on Microsoft’s official advisories:

1. Apply the latest security updates that mitigate these vulnerabilities 

2. Although RPC is necessary for services used by the system, it is recommended to block traffic to TCP port 445 for devices outside of the enterprise perimeter

3. Limit lateral movement by allowing incoming TCP port 445 only on machines where it is needed (i.e., domain controllers, print servers, file servers, etc)

Akamai Guardicore segmentation rule

 Akamai Guardicore segmentation is meant to protect you from exploitation of these vulnerabilities. As previously mentioned, CVE-2022-26809 was given such a high CVSS score because it is zero-click. This means it  can go unnoticed by the user and, potentially, by the security team as well. By segmenting your network with explicit access controls, you will prevent the breach or lateral movement an attacker would leverage here. 

In order to apply the second mitigation and block SMB traffic from outside the network, create the following segmentation rule: