CVE-2022-26809 is a vulnerability exists within the Remote Procedure Call Runtime component in Microsoft Windows. If an attacker successfully exploits the vulnerability, then she/he could run arbitrary code on the affected system.
To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.
The vulnerable system can be exploited without any interaction from any user.
This is a really contains a high risk and should be patched immediately.
Vulnerable Technologies: Microsoft reports that the following products and versions are vulnerable:
Windows 7 32-bit SP 1 Windows 7 x64 SP 1 Windows 8.1 32-bit Windows 8.1 x64 Windows 10 32-bit Windows 10 x64 Windows 10 20H2 32-bit Windows 10 20H2 ARM64 Windows 10 20H2 x64 Windows 10 21H1 32-bit Windows 10 21H1 ARM64 Windows 10 21H1 x64 Windows 10 21H2 32-bit Windows 10 21H2 ARM64 Windows 10 21H2 x64 Windows 10 1607 32-bit Windows 10 1607 x64 Windows 10 1809 32-bit Windows 10 1809 ARM64 Windows 10 1809 x64 Windows 10 1909 32-bit Windows 10 1909 ARM64 Windows 10 1909 x64 Windows 11 ARM64 Windows 11 x64 Windows RT 8.1 Windows Server 2008 32-bit SP 2 Windows Server 2008 x64 SP 2 Windows Server 2008 R2 x64 SP 1 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server Version 20H2
Microsoft recommends blocking port 445 at the perimeter firewall as a technique to mitigate the possibility of internet-based exploitation.
Organizations need a continuous port/vulnerability scan to detect to see if any port is open momentarily to the outside. If a continuous scan is not possible because of sensitive systems, an Attack Surface Management system should be used for instant detection.
If DHCP service is enabled and DHCP server is temporarily or permanently unavailable, TCP/IP assigns a class B IP address from 169.254.0.0 to 169.254.255.255 to the machine. This function in Windows is called “Automatic Private IP Addressing”.
If you want to use static IP addresses in the machine, you need to disable IP autoconfiguration. To disable;
1- Check in which interface autoconfiguration is on.
2- Check for index number of the interface with the command;
netsh interface ipv4 show inter
Our index is ‘2’ in this example.
3- Run the command below with changing the ‘2’ with your index number;
netsh interface ipv4 set interface 2 dadtransmits=0 store=persistent
Windows 11 was made available for users with Insider. Microsoft released the Windows 11 ISO file for test users today.
To test Windows 11 with the Insider program, users had to update from Windows 10 build 21354. Windows 11, which is still in beta, has finally been released. It is expected that the new version will be available to all users by the end of this year.
With Zone Identifier, we can say whether a file downloaded from internet or not.
A file with zone.identifier extension is an ADS (Alternate Data Stream) file that contains information about another file. It describes the security zone for the file. Zone identifier files are generated by Internet Explorer and Outlook when saving files to a Windows operating system. These files are normally hidden and cannot be opened directly.
Via powershell, we can find Zone Identifiers of a file;