Microsoft’s “Patch Tuesday” update revealed a new RPC Remote Code Execution CVE that affects numerous servers and workstation versions of Microsoft Windows.This vulnerability is tied to the RPC runtime library, which allows applications to access the Remote Procedure Call functionality within Windows. The bug details aren’t yet fully known but it appears that sending a specially crafted packet will be enough to trigger the exploit.
Due to the trivial nature of the vulnerability it is highly likely that the PoC code will appear very shortly. This CVE therefore has the potential to be crippling in a similar way that Wannacry utilised EternalBlue to spread internally, meaning ransomware attacks may blow up in the coming weeks. An equally worrying outcome could be an uptick of malware in the form of a fast spreading internet worm like Blaster, spread through computer networks and equipped with the capability to deploy malicious payloads.
While Microsoft has issued guidance, blocking the suggested ports on the firewall/perimeter is not feasible on the inside of the perimeter, which is where this exploit could be used to much effect. Additionally, if you use File and Folder sharing internally then those ports will be open. Given that Microsoft Windows is the dominant operating system, it’s critical all companies who use it bolster their security postures, using NDR solutions to monitor their networks to quickly detect and isolate anomalous activity before they become an attack.