CVE-2024-21307 – This vulnerability allows an attacker to execut... (How to Fix)

Q: What is the severity of CVE-2024-21307?

CVE-2024-21307 has a CVSS score of 7.5 (HIGH). This vulnerability allows an attacker to execute arbitrary code on a victim's system by tricking them into connecting to a malicious RDP server. It affects Windows Remote Desktop Client users. Successful exploitation requires user interaction but can lead to full system compromise.

📋 TL;DR

This vulnerability allows an attacker to execute arbitrary code on a victim's system by tricking them into connecting to a malicious RDP server. It affects Windows Remote Desktop Client users. Successful exploitation requires user interaction but can lead to full system compromise.

💻 Affected Systems

Products:

Windows Remote Desktop Client

Versions: Specific versions as listed in Microsoft advisory (typically recent Windows 10/11 versions)

Operating Systems: Windows 10, Windows 11, Windows Server 2022, Windows Server 2019

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default RDP client installations. Requires user to connect to malicious RDP server.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Attacker gains user-level access to execute code, steal credentials, or move laterally within the network.

🟢

If Mitigated

Limited impact due to network segmentation, application whitelisting, or exploitation attempts being blocked by security controls.

🌐 Internet-Facing: MEDIUM - Requires user to initiate connection to malicious server, but phishing or drive-by attacks could facilitate this.

🏢 Internal Only: HIGH - Internal attackers could set up malicious RDP servers and trick users into connecting, bypassing perimeter defenses.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (connecting to malicious RDP server). No public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update for specific KB number

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21307

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify installation via 'winver' command showing updated build number.

🔧 Temporary Workarounds

Disable RDP Client Network Level Authentication

windows

Prevents automatic connection to untrusted servers but reduces security

Not recommended as workaround - apply patch instead

Restrict RDP Connections via Firewall

windows

Block outbound RDP connections to untrusted networks

New-NetFirewallRule -DisplayName "Block RDP Outbound" -Direction Outbound -LocalPort 3389 -Protocol TCP -Action Block

🧯 If You Can't Patch

Implement network segmentation to restrict RDP traffic to trusted servers only
Deploy application control/whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Windows version and compare with patched versions in Microsoft advisory

Check Version:

winver

Verify Fix Applied:

Run 'winver' command and verify build number matches patched version from Microsoft advisory

📡 Detection & Monitoring

Log Indicators:

Event ID 1149 in Windows Remote Desktop Services logs
Unexpected RDP client connections to external IPs

Network Indicators:

Outbound RDP connections to unknown external IPs
Unusual RDP traffic patterns

SIEM Query:

source="*security*" event_id=1149 OR (source="*rdp*" AND destination_ip NOT IN [trusted_servers])

📊 Metadata

CVE ID: CVE-2024-21307

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: January 9, 2024

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21307 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21307 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21307, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft