Critical Windows Vulnerability

Microsoft just issued a new CVE: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26809

What does this mean exactly? Here is an explanation from Microsoft:

Remote Procedure Call Runtime Remote Code Execution Vulnerability

To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.

Which Windows Systems are vulnerable?

  • Windows Server 2008 and above
  • Windows 7 and above

So what can you do about it and how LOGmanager can help?

  1. Apply newest Microsoft patch to your systems. This will ensure you are not vulnerable to this exploit.
  2. Make sure port 445 is closed on firewall for traffic coming from outside. To run this exploit attacked does not need any access permissions – just an open port 445.
  3. Check connections from outside to port 445 on LOGmanager. Of course you need logs from your FW to do this. We have Fortigate logs so for example:

 

As you can see we had 734 connection attempts to port 445 in last 7 days. Because I used filter msg.src_ip:192.168.* OR msg.src_ip:172.16.* OR 10.* set to NOT, I’m sure all those connections came from outside of my network – in other words, if source IP is in range of private addresses (RFC 1918) LOGmanager will not show it on dashboard.

Now lets see if any connection were accepted on the firewall.

Look like no – all 734 connections were denied. That’s good – meaning no one was able to access port 445 from outside.

We can also check from which countries those connections came.

Looks like mostly Bulgaria/Russia. This of course does not mean that attacker is actually sitting in one of those countries – usually they make use of VPNs/Jumphosts/TOR/Whatever to mask their origin.

Now, in this case, looks like our network is safe. But in case you’d see any traffic with status accept after applying above filters I strongly suggest to run full investigation and look for indicators of compromise (IoC) – for example persistent connection to outside from your network with set intervals (C&C channels). There is a possibility exploit was running in the wild before it was discovered…

There is also a possibility to run this attack from inside of your network – in that case it will be much harder to detect just by looking at traffic, since it will be mixed with legitimate connections. What you can do though is reverse NOT filter to show connections coming ONLY from inside of your network and then check if destination servers are even supposed to have SMB service running on port 445 – sometimes we simply forget to disable certain services 😉

With filter reversed I now see 6773 connections to port 445.

I can now investigate which servers listed in Destination IP graph should have SMB service running and disable it where it is not needed.

That’s it folks! If you wish to know more how to leverage LOGmanager dashboards to run analysis/investigation check our user forum and youtube channel where we share a lot of content.