Microsoft released over 100 security updates during its monthly patch cycle among them critical remote code execution (RCE) vulnerabilities located in Microsoft’s Server Message Block (SMB), a protocol used primarily for file sharing and inter-process communication including Remote Procedure Calls (RPCs).
The flaw, tracked as CVE-2022-26809, a CVSS 9.8 rated vulnerability in SMB, allows an attacker to send an RPC call to host with open SMB port and execute code remotely. The CVE-2022-26809 flaw is one of three RPC vulnerabilities Microsoft patched. The other two are tracked as CVE-2022-24492 and CVE-2022-24528.
How can these vulnerabilities affect my organization?
Successful exploitation of this vulnerability can enable attackers to access internal and external facing systems through remote access, all without authentication. In the case of the Microsoft vulnerabilities, the attacker will be able to execute code on the vulnerable machines with the privileges of the RPC service through the SMB port (445). The attack is relatively easy to carry out, and doesn’t require technical knowledge. The vulnerability also may allow attackers to move laterally and look for additional vulnerable systems or more vulnerabilities in the network.
The example of the above exploitation should raise alarm for CISOs. Reposify’s EASM platform enables real-time asset monitoring. In this example, more than 800,000 nodes with open SMB protocol have been identified using our Reposify EASM platform, some of which are hosted on systems with patch installed, though most of them are still not patched. These vulnerabilities could be a direct vector for malicious parties to take advantage of the unpatched systems — posing undue risk to an organization at large.
My company is vulnerable. What steps can I take to defend against these threats?
First, immediately install Microsoft security updates and make sure your organization’s Windows machines are updated. It’s critical that all companies avoid opening SMB outside of the organization’s perimeter, as this may only serve to enhance vulnerability.
As for what companies should do if they aren’t in a position to patch immediately, the best place any of us can start is preparedness. Organizations are limited to only protecting assets they know are there. An EASM platform like Reposify’s empowers companies with precisely-mapped, comprehensive portrayal of their asset inventory. It frees up manpower critical to security teams as they grapple with RCE hacks like the one presented by Microsoft, allowing organizations to streamline response time by assessing where they are most vulnerable.
How Reposify’s EASM platform flags exposed unknown assets vulnerable to RPC/SMB threat
Reposify’s discovery mechanism empowers companies with precisely-mapped, comprehensive portrayal of their asset inventory. It frees up manpower critical to security teams as they grapple with the expanding attack surface. The platform maps the web in real-time, enabling security teams to detect unknown exposed assets that are vulnerable for Microsoft’s RCE threats and pose a risk to your organization.
Reposify platform allows you to sort assets based on filters via GUI or API of your choosing, leveraging an intuitive user interface for easy navigation, identification, and asset monitoring.
Only by having an accurate inventory that takes the entire supply chain, third party vendors and subsidiaries into account can organizations achieve true perimeter security.
Think you’re vulnerable? Request a demo here.