CVE-2024-30024
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running the Routing and Remote Access Service (RRAS) without authentication. Attackers can exploit this flaw by sending specially crafted packets to vulnerable RRAS servers. Organizations using Windows servers with RRAS enabled are primarily affected.
💻 Affected Systems
- Windows Server
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to complete control over the server, lateral movement within the network, data exfiltration, and deployment of ransomware or other malware.
Likely Case
Remote code execution leading to installation of backdoors, credential theft, and establishment of persistent access for further attacks.
If Mitigated
Limited impact due to network segmentation, proper firewall rules, and disabled RRAS service on internet-facing systems.
🎯 Exploit Status
Microsoft has rated this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and has low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2024 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30024
Restart Required: Yes
Instructions:
1. Apply May 2024 Windows Server security updates via Windows Update. 2. For manual installation, download the appropriate KB from Microsoft Update Catalog. 3. Restart the server after installation.
🔧 Temporary Workarounds
Disable RRAS Service
windowsTemporarily disable the Routing and Remote Access Service if not required
sc config RemoteAccess start= disabled
net stop RemoteAccess
Block RRAS Ports
windowsBlock network access to RRAS ports (typically TCP 1723, UDP 1701, UDP 500, UDP 4500)
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Disable RRAS service on all internet-facing systems immediately
- Implement strict network segmentation and firewall rules to limit RRAS traffic to trusted internal networks only
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: 'sc query RemoteAccess' and verify Windows Server version with 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version"'Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2024 updates are installed: 'wmic qfe list | findstr "KB"' and check for relevant KB numbers from Microsoft advisory📡 Detection & Monitoring
Log Indicators:
- Unusual RRAS service restarts
- Failed RRAS authentication attempts from unexpected sources
- Windows Security Event ID 4625 (failed logon) for RRAS
Network Indicators:
- Unusual traffic to RRAS ports (TCP 1723, UDP 1701, 500, 4500) from external sources
- Malformed packets to RRAS service
SIEM Query:
source="windows" AND (event_id=4625 AND process_name="svchost.exe" AND service_name="RemoteAccess") OR (event_id=7036 AND service_name="RemoteAccess" AND (status="stopped" OR status="started"))