Endpoint Protection

  • Private Community
 View Only

  • 1.  CVE-2022-26809 - definitions/response from Broadcom

    Posted Apr 13, 2022 08:28 AM
    Hi,

    Has Broadcom provided definitions or a response for this CVE or the other zero days, i.e. if not certified defs will SONAR pick this up?


  • 2.  RE: CVE-2022-26809 - definitions/response from Broadcom

    Posted Apr 14, 2022 09:56 AM

    This is an RCE attack or vulnerability, this means that Host Firewall and HIPS signatures are the first line of defense.

    SOnar and Bloodhound are local File execution and process behavior driven.

    I can show you how to create these rules for your endpoints, I current have 80,000 end point running Host FW and HIPS, with some custom HIPS also. Power over looked tools.

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809


    Original Message


  • 3.  RE: CVE-2022-26809 - definitions/response from Broadcom

    Posted Apr 14, 2022 01:01 PM
    Edited by wpalmer2 Apr 14, 2022 01:02 PM
    Hey there Gregory,

    Thank you for the additional information. Would it be possible to provide guidance here in this forum thread for creating these rules for endpoints in an environment?
    Additionally, what did you mean by "Power over looked tools.", sorry?

    Thank you for your time
    Original Message


  • 4.  RE: CVE-2022-26809 - definitions/response from Broadcom

    Posted Apr 17, 2022 10:13 PM

    As part of April's patch Tuesday, Microsoft has patched a critical Windows RPC vulnerability (CVE-2022-26809) which allows unauthorized remote code execution through a bug in the Microsoft Remote Procedure Call (RPC) communication protocol.

    Symantec protects you from this threat, identified by the following:

    Network-based

    • Attack: Fake SMB Server Response 
    • Audit: EFSRPC Bind Attempt 
    • Audit: Suspicious SMB Client Request 2

    please see: https://www.broadcom.com/support/security-center/protection-bulletin#bltb2624499b61be52c_en-us




    Original Message