CVE-2024-38077 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-38077?

CVE-2024-38077 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary code on Windows systems running the Remote Desktop Licensing Service. It affects Windows servers with this service enabled, potentially giving attackers full system control. The high CVSS score reflects the ease of exploitation and severe impact.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary code on Windows systems running the Remote Desktop Licensing Service. It affects Windows servers with this service enabled, potentially giving attackers full system control. The high CVSS score reflects the ease of exploitation and severe impact.

💻 Affected Systems

Products:

Windows Remote Desktop Licensing Service

Versions: Windows Server 2019, Windows Server 2022, and potentially other Windows Server versions with the service enabled

Operating Systems: Windows Server

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if Remote Desktop Licensing Service is installed and running. Not all Windows Server installations have this service enabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement across the network, and persistent backdoor installation.

🟠

Likely Case

Initial foothold for attackers to establish persistence, steal credentials, and move laterally to other systems in the environment.

🟢

If Mitigated

Limited impact due to network segmentation, strict firewall rules, and proper access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Based on CVSS 9.8 score and CWE-122 (Heap-based Buffer Overflow), exploitation is likely straightforward for attackers with network access to the service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply latest Windows security updates from Microsoft

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38077

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft
2. Restart affected Windows Server systems
3. Verify the Remote Desktop Licensing Service is updated

🔧 Temporary Workarounds

Disable Remote Desktop Licensing Service

windows

Stop and disable the vulnerable service if not required

Stop-Service -Name TermServLicensing
Set-Service -Name TermServLicensing -StartupType Disabled

Block network access to service port

windows

Restrict network access to the Remote Desktop Licensing Service port (default TCP 135)

New-NetFirewallRule -DisplayName "Block RD Licensing" -Direction Inbound -Protocol TCP -LocalPort 135 -Action Block

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems running the service
Deploy intrusion prevention systems (IPS) with rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Remote Desktop Licensing Service is running and if system has unpatched Windows updates

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history shows the latest security updates applied and service is either disabled or updated

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from Remote Desktop Licensing Service
Failed authentication attempts to the service
Service crash or unexpected restart events

Network Indicators:

Unusual network traffic to TCP port 135 from unexpected sources
Multiple connection attempts to the licensing service

SIEM Query:

source="windows" AND (event_id=4688 OR event_id=4625) AND process_name="*TermServLicensing*"

📊 Metadata

CVE ID: CVE-2024-38077

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: July 9, 2024

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38077 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38077 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38077, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Remote Desktop Licensing Service

Block network access to service port

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities