New Vuln: Pre-auth, wormable RCE in Windows RPC

[malexmave]

I don't have the time or understanding of the situation, but I wanted to get some eyeballs on this so that someone else can write this up: It seems like there is a pre-auth, wormable RCE in Windows RPC.

• Tweet with this analysis
• Windows Security Update Guide

Maybe someone else can write up an announcement, if this meets the bar for one.

Edit: Fixed the link, used to point to the wrong update guide, sorry.

[sullivanmatt]

I struggle with these types of issues because exposing TCP/445 to the Internet, and then not promptly updating that system, is just catastrophically careless. Yet, we know it's common; Shodan says over a million systems could be impacted.

I'm always up for discussion (I don't mind being told I'm being silly 😄), but generally speaking, if the vulnerability has a patch, with no PoC so far, and is only widely exploitable if you open a very sensitive port to the Internet, it probably doesn't reach the threshold for publishing a notice. Regardless of those facts, it is always best to ask the question and bring the issue to this team, so I very much appreciate you doing that Max!