CVE-2024-30029
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) without authentication. Attackers can exploit this to gain SYSTEM-level privileges on affected systems. Organizations using Windows servers with RRAS enabled are primarily affected.
💻 Affected Systems
- Windows Server
- Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges leading to lateral movement, data exfiltration, ransomware deployment, or persistent backdoor installation across the network.
Likely Case
Initial foothold on network perimeter leading to privilege escalation, credential harvesting, and lateral movement to critical systems.
If Mitigated
Limited impact due to network segmentation, proper patch management, and disabled RRAS service on non-essential systems.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires specific network access to RRAS service ports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2024 security updates (KB5037771 for Windows 11, KB5037765 for Server 2022, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30029
Restart Required: Yes
Instructions:
1. Apply May 2024 Windows security updates from Windows Update or Microsoft Update Catalog. 2. Restart affected systems. 3. Verify patch installation via 'systeminfo' command or Windows Update history.
🔧 Temporary Workarounds
Disable RRAS Service
windowsTemporarily disable Routing and Remote Access Service if not required for business operations
sc config RemoteAccess start= disabled
sc stop RemoteAccess
Block RRAS Ports
windowsBlock network access to RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500) at firewall
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Disable RRAS service on all non-essential systems immediately
- Implement strict network segmentation to isolate RRAS servers from critical assets
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: 'sc query RemoteAccess' and verify Windows version is affectedCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2024 security updates are installed: 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix(s)"'📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 (failed logon) to RRAS service
- Event ID 4688 (process creation) with unusual parent processes
- Windows Security logs showing unexpected RRAS service restarts
Network Indicators:
- Unusual traffic patterns to RRAS ports (1723, 1701, 500, 4500)
- Connection attempts from unexpected IP addresses to RRAS service
SIEM Query:
source="windows_security" (event_id=4625 AND service_name="RemoteAccess") OR (event_id=4688 AND new_process_name LIKE "%powershell%" OR "%cmd%")