Microsoft SMB Vulnerability | April 2022

A critical vulnerability was discovered in Microsoft's Server Message Block (SMB) service. Here's what you need to know.

Updated: April 13, 2022


Background

In their routine Patch Tuesday, Microsoft disclosed two critical vulnerabilities that impact the Server Message Block (SMB) service (CVE-2022-24500) and Windows RPC (CVE-2022-26809). The SMB service is used for sharing files, printers, and other operating system resources. Organizations are advised to apply updates to all Windows systems as soon as possible to mitigate potential worm-like malware that could auto-spread throughout an environment.


Quick facts: what you need to know now

  • At this time, no active exploit code has been released and no active scans are currently known but we can expect attackers to identify the issue and build working exploit code soon.
  • SMB is enabled by default on all Windows systems and is required for functionality in modern environments.
  • An attacker could exploit the vulnerability and run commands on the impacted system which can result in full compromise of the system and provide them a foothold in an organizations’ environment. Similar exploits have led to ransomware attacks. 

Next Steps for Microsoft Customers:

  1. Block TCP port 445 - Organizations should block TCP port 445 from being accessible to the Internet. Even prior to this vulnerability, blocking port 445 was a security best practice.
  2. Update Windows - All organizations should ensure that Windows systems are updated to the latest Windows versions in the April 2022 patches. While blocking the affected ports at the perimeter is the best defense to help avoid Internet-based attacks, systems could still be vulnerable to attacks from within if Windows is not patched.
  3. Check this article periodically over the next few weeks as we will keep it updated as more information becomes available.

Resources


If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!