CVE-2024-38072
📋 TL;DR
CVE-2024-38072 is a denial-of-service vulnerability in the Windows Remote Desktop Licensing Service where specially crafted packets can cause the service to crash. This affects Windows servers running Remote Desktop Licensing Service, potentially disrupting legitimate Remote Desktop connections. Organizations using Windows Remote Desktop Services for licensing are impacted.
💻 Affected Systems
- Windows Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete unavailability of Remote Desktop Licensing Service, preventing new Remote Desktop connections and disrupting existing licensed sessions across the enterprise.
Likely Case
Temporary service disruption requiring service restart, causing connection delays and potential licensing issues for Remote Desktop clients.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and service restoration.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires network access to the licensing service port (typically TCP 135 or 445).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2024 security updates or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38072
Restart Required: Yes
Instructions:
1. Apply the July 2024 Windows Server security updates from Windows Update or Microsoft Update Catalog. 2. Restart the server to complete the installation. 3. Verify the Remote Desktop Licensing Service is running properly after restart.
🔧 Temporary Workarounds
Disable Remote Desktop Licensing Service
windowsTemporarily disable the vulnerable service if not required for operations
Stop-Service -Name TermServLicensing
Set-Service -Name TermServLicensing -StartupType Disabled
Network Segmentation
windowsRestrict access to Remote Desktop Licensing Service ports
New-NetFirewallRule -DisplayName "Block RD Licensing" -Direction Inbound -Protocol TCP -LocalPort 135,445 -Action Block
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can reach the Remote Desktop Licensing Service ports
- Monitor service health and implement automated restart procedures if the service crashes
🔍 How to Verify
Check if Vulnerable:
Check if Remote Desktop Licensing Service is installed and running: Get-Service TermServLicensing | Select Status, StartTypeCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains July 2024 security updates and check service version after patch📡 Detection & Monitoring
Log Indicators:
- Event ID 1000 or 1001 in Application logs indicating TermServLicensing service crash
- Unexpected service termination events in System logs
Network Indicators:
- Multiple connection attempts to TCP port 135 or 445 followed by service unavailability
- Unusual packet patterns to Remote Desktop Licensing ports
SIEM Query:
source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="TermServLicensing.exe"