CVE-2024-20687 – This vulnerability in Microsoft's AllJoyn API a... (How to Fix)

Q: What is the severity of CVE-2024-20687?

CVE-2024-20687 has a CVSS score of 7.5 (HIGH). This vulnerability in Microsoft's AllJoyn API allows attackers to cause a denial of service by sending specially crafted packets. It affects systems running Windows with AllJoyn enabled, potentially causing service crashes or system instability. The vulnerability requires network access to the affected system.

📋 TL;DR

This vulnerability in Microsoft's AllJoyn API allows attackers to cause a denial of service by sending specially crafted packets. It affects systems running Windows with AllJoyn enabled, potentially causing service crashes or system instability. The vulnerability requires network access to the affected system.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when AllJoyn API is enabled and accessible. AllJoyn is not enabled by default on most Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or persistent denial of service requiring reboot, potentially affecting multiple services that depend on AllJoyn functionality.

🟠

Likely Case

Temporary service disruption or application crashes affecting AllJoyn-dependent functionality until system restart.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls limiting exposure to trusted networks only.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires network access, AllJoyn services are typically not exposed to the internet by default, but misconfigurations could increase risk.

🏢 Internal Only: HIGH - In internal networks, attackers could exploit this to disrupt services on affected systems, especially in environments with lateral movement capabilities.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the vulnerable system but no authentication. The CWE-125 (Out-of-bounds Read) suggests memory corruption that could lead to crashes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2024 security updates (KB5034123 for Windows 10, KB5034127 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20687

Restart Required: Yes

Instructions:

1. Install the January 2024 Windows security updates via Windows Update. 2. Alternatively, download and install the specific KB update for your Windows version from Microsoft Update Catalog. 3. Restart the system after installation.

🔧 Temporary Workarounds

Disable AllJoyn Service

windows

Disable the AllJoyn Router Service if not required for your environment

sc stop AJRouter
sc config AJRouter start= disabled

Block AllJoyn Network Ports

windows

Block network access to AllJoyn ports (typically 9955-9956 TCP/UDP) using firewall rules

netsh advfirewall firewall add rule name="Block AllJoyn" dir=in action=block protocol=TCP localport=9955-9956
netsh advfirewall firewall add rule name="Block AllJoyn UDP" dir=in action=block protocol=UDP localport=9955-9956

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems with AllJoyn enabled from untrusted networks
Monitor for unusual network traffic to AllJoyn ports (9955-9956) and system crashes related to AllJoyn services

🔍 How to Verify

Check if Vulnerable:

Check if AllJoyn Router Service (AJRouter) is running and if system has January 2024 security updates installed

Check Version:

wmic qfe list | findstr KB5034123 (or appropriate KB for your Windows version)

Verify Fix Applied:

Verify January 2024 security updates are installed and AllJoyn service is either updated or disabled

📡 Detection & Monitoring

Log Indicators:

Event ID 1000 or 1001 application crashes for AllJoyn processes
System event logs showing service crashes for AJRouter

Network Indicators:

Unusual traffic to TCP/UDP ports 9955-9956
Multiple connection attempts to AllJoyn services

SIEM Query:

EventID=1000 AND ProcessName="AJRouter.exe" OR EventID=7034 AND ServiceName="AJRouter"

📊 Metadata

CVE ID: CVE-2024-20687

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: January 9, 2024

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20687 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20687 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-20687, you might also want to check these: