CVE-2024-30094

Q: What is the severity of CVE-2024-30094?

CVE-2024-30094 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) by sending specially crafted packets. It affects Windows servers and workstations with RRAS enabled, potentially allowing attackers to gain SYSTEM privileges on vulnerable systems.

7.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) by sending specially crafted packets. It affects Windows servers and workstations with RRAS enabled, potentially allowing attackers to gain SYSTEM privileges on vulnerable systems.

💻 Affected Systems

Products:

Windows Routing and Remote Access Service (RRAS)

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when RRAS role/feature is installed and enabled. Not enabled by default on most Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistent backdoors.

🟠

Likely Case

Remote code execution leading to ransomware deployment, credential harvesting, or botnet recruitment.

🟢

If Mitigated

Limited impact if network segmentation restricts RRAS traffic and proper patching is implemented.

🌐 Internet-Facing: HIGH - RRAS services exposed to internet are directly vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit RRAS on vulnerable internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Microsoft rates this as 'Exploitation More Likely' in their advisory. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply May 2024 security updates or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30094

Restart Required: Yes

Instructions:

1. Apply May 2024 Windows security updates via Windows Update. 2. For enterprise: Deploy via WSUS, SCCM, or Microsoft Update Catalog. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable RRAS Service

windows

Stop and disable the Routing and Remote Access Service if not required

sc stop RemoteAccess
sc config RemoteAccess start= disabled

Block RRAS Ports

windows

Block network access to RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500)

netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500

🧯 If You Can't Patch

Disable RRAS service completely if not required for business operations
Implement strict network segmentation to isolate RRAS servers from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if RRAS service is running: 'sc query RemoteAccess' and verify Windows version is unpatched

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify May 2024 security updates are installed via 'systeminfo' or Windows Update history

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with RRAS process creation
Unexpected RRAS service restarts
Windows Security logs showing SYSTEM privilege escalation

Network Indicators:

Unusual traffic to RRAS ports (1723, 1701, 500, 4500) from unexpected sources
Malformed packets to RRAS service

SIEM Query:

source="windows" AND (event_id=4688 AND process_name="*rras*" OR service_name="RemoteAccess")

📊 Metadata

CVE ID: CVE-2024-30094

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: June 11, 2024

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30094 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30094 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RRAS Service

Block RRAS Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities