CVE-2024-38114

Q: What is the severity of CVE-2024-38114?

CVE-2024-38114 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote code execution through the Windows IP Routing Management Snapin. Attackers can exploit this to execute arbitrary code with SYSTEM privileges on affected Windows systems. All Windows systems with the vulnerable component are potentially affected.

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution through the Windows IP Routing Management Snapin. Attackers can exploit this to execute arbitrary code with SYSTEM privileges on affected Windows systems. All Windows systems with the vulnerable component are potentially affected.

💻 Affected Systems

Products:

Windows Server
Windows Client

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the IP Routing Management Snapin component to be present and accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, create backdoors, or pivot to other systems.

🟠

Likely Case

Initial foothold for lateral movement within enterprise networks, leading to ransomware deployment or data exfiltration.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and endpoint protection are in place.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access to the vulnerable component and may require specific conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2024 security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38114

Restart Required: Yes

Instructions:

1. Apply July 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable IP Routing Management Snapin

windows

Remove or restrict access to the vulnerable component

Remove-MMCSnapin -Name "Routing and Remote Access"
Disable-WindowsOptionalFeature -FeatureName Routing -Online

Network Segmentation

all

Restrict network access to systems running the vulnerable component

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems
Apply principle of least privilege and disable unnecessary administrative tools

🔍 How to Verify

Check if Vulnerable:

Check if July 2024 security updates are installed via 'systeminfo' command or Windows Update history

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5035857 (Windows 10/11) or equivalent Server updates are installed

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from routing components
Suspicious network connections to routing services
Event ID 4688 with unusual parent processes

Network Indicators:

Unexpected connections to routing management ports
Anomalous traffic patterns from routing services

SIEM Query:

EventID=4688 AND (ProcessName="*routing*" OR ParentProcessName="*routing*") AND CommandLine="*suspicious*"

📊 Metadata

CVE ID: CVE-2024-38114

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: August 13, 2024

Last Updated: August 16, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38114 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft