Wormable Windows RPC bug warning issued

Over a million systems connected to the Internet could be vulnerable to a wormable or self-spreading vulnerability in the Windows Remote Procedure Call protocol, researchers warn.

The bug can be abused for remote code execution at high privilege levels, with no user interaction required, nor authentication.

Administrators who expose Windows computers with the Systems Management Block (SMB) file sharing protocol to the Internet should block traffic to port 445 to avoid attacks.

However, the vulnerability could still be exploited from inside firewall perimeters, security researchers warned.

CVE-2022-26809 Yes, blocking 445 at your network perimeter is necessary but not sufficient to help prevent exploitation.
If by April 2022 you STILL have SMB exposed to the broader internet you've got some soul searching to do.
Now, about those hosts already inside your network... pic.twitter.com/jS8fPrv8E2

— Will Dormann (@wdormann) April 13, 2022

A scan with the Censys.io search engine shows several thousands of potentially vulnerable systems on Australian networks.

The April set of Patch Wednesday security updates handle the flaw, which comes with a Common Vulnerabilities Scoring System version 3.1 rating of 9.8 out of 10.0.

Security vendor F-Secure head Mikko Hyppönen advised administrators to apply the patch soon, "before we see Blaster worm all over again".

The Blaster worm quickly spread throughout the world in August 2003, forcing internet providers to apply filters to drop traffic to and from ports 139 and 445 to curb the infection rate.

A privilege escalation bug, tracked with the Common Vulnerabilities and Exposures index CVE-2022-24521, is also patched this month together with several critical remote code execution flaws, some of which are currently being exploited.

The United States National Security Agency, and security vendor Crowdstrike, reported the no-user-interaction vulnerability to Microsoft.