Still, this bug could be used for lateral movement by an attacker. "However, the static port used here (TCP port 135) is typically blocked at the network perimeter. "Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached," Childs noted. Vulnerabilities in the Windows Remote Desktop Protocol have enabled a number of high-profile attacks in recent years via automated exploit tools.ĭustin Childs, communications manager at Trend Micro's Zero Day Initiative, said that in this case, there is real danger that the Windows RPC bug could be weaponized for automated malware attacks such as a worm. Word of vulnerabilities in remote access protocols in Windows will no doubt cause many admins and network defenders to have pangs of anxiety.
According to Microsoft, servers that listen on this TCP port are potentially vulnerable." "According to Shodan, more than 700,000 Windows machines expose this port to the internet. "Any Windows machine where port 445 is exposed and the RPC runtime library is not patched is vulnerable," Barnea and Harpaz wrote. In a blog post Wednesday, Akamai Technologies security researchers Ben Barnea and Ophir Harpaz said there is no shortage of potential targets for attackers to choose from at the moment. While admins can reduce some of their attack service by blocking TCP ports 135 and 445 on internet-facing systems, experts note that this is only a stopgap measure as the flaw could still be exploited from within the network. Microsoft released an update to patch the Windows RPC vulnerability in its April 12 monthly security update, and security experts advised users and administrators to get the fixes in place as soon as possible. This would, in turn, allow the attacker to achieve a complete remote takeover of the vulnerable machine and a foothold for wider network infiltration.
Designated CVE-2022-26809, the vulnerability describes an integer overflow error in the Microsoft Remote Procedure Call networking service where an attacker could use a specially crafted RPC request to obtain code execution on the target server.