CVE-2024-38104
📋 TL;DR
CVE-2024-38104 is a remote code execution vulnerability in the Windows Fax Service that allows an attacker to execute arbitrary code with SYSTEM privileges on affected systems. This affects Windows servers and workstations running vulnerable versions of the Fax Service. An attacker could exploit this to take complete control of the target system.
💻 Affected Systems
- Windows Fax Service
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling data theft, ransomware deployment, lateral movement, and persistent backdoor installation across the network.
Likely Case
Initial foothold leading to privilege escalation, credential harvesting, and lateral movement within the network environment.
If Mitigated
Limited impact due to network segmentation, restricted service permissions, and comprehensive monitoring detecting exploitation attempts.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' based on their assessment framework.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2024 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38104
Restart Required: Yes
Instructions:
1. Apply July 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Update Catalog. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable Windows Fax Service
windowsCompletely disable the vulnerable Fax Service to prevent exploitation
sc stop Fax
sc config Fax start= disabled
Block Fax Service Ports
windowsBlock network access to Fax Service ports (typically TCP 2000-2001)
netsh advfirewall firewall add rule name="Block Fax Service" dir=in action=block protocol=TCP localport=2000-2001
🧯 If You Can't Patch
- Disable Windows Fax Service on all affected systems immediately
- Implement network segmentation to isolate systems with Fax Service enabled
- Apply strict firewall rules blocking inbound Fax Service traffic
- Enable enhanced logging and monitoring for Fax Service activity
🔍 How to Verify
Check if Vulnerable:
Check if Fax Service is running and system has not applied July 2024 security updatesCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2024 security updates are installed and Fax Service is either patched or disabled📡 Detection & Monitoring
Log Indicators:
- Unexpected Fax Service start/stop events
- Process creation from Fax Service executable
- Network connections to Fax Service ports
Network Indicators:
- Unusual traffic to TCP ports 2000-2001
- Malformed Fax Service protocol packets
- Connection attempts from unexpected sources
SIEM Query:
EventID=7045 OR EventID=7036 AND ServiceName="Fax" OR ProcessName="fxssvc.exe"