CVE-2024-38120
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) without authentication. Attackers can exploit this heap-based buffer overflow to gain SYSTEM privileges on affected servers. Organizations using Windows servers with RRAS enabled are at risk.
💻 Affected Systems
- Windows Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to ransomware deployment, data exfiltration, or creation of backdoors for future attacks.
If Mitigated
Limited impact if RRAS is disabled or network access is restricted, though vulnerable systems remain at risk if exposed.
🎯 Exploit Status
Exploitation requires sending specially crafted packets to RRAS service. No authentication needed, but requires network access to vulnerable service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply latest Windows Server security updates from Microsoft
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38120
Restart Required: Yes
Instructions:
1. Download and install latest Windows Server security updates from Microsoft Update
2. Restart the server to complete installation
3. Verify RRAS service is running properly after restart
🔧 Temporary Workarounds
Disable RRAS Service
windowsTemporarily disable Routing and Remote Access Service if not required
Stop-Service RemoteAccess
Set-Service RemoteAccess -StartupType Disabled
Network Segmentation
windowsRestrict network access to RRAS service using firewall rules
New-NetFirewallRule -DisplayName "Block RRAS" -Direction Inbound -Protocol TCP -LocalPort 1723 -Action Block
🧯 If You Can't Patch
- Disable RRAS service immediately if not required for business operations
- Implement strict network segmentation and firewall rules to block external access to RRAS ports
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running and Windows Server version is affectedCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history shows latest security patches installed and RRAS service functions normally📡 Detection & Monitoring
Log Indicators:
- Unusual RRAS service crashes in Event Viewer
- Failed authentication attempts to RRAS
- Suspicious network connections to RRAS ports
Network Indicators:
- Unusual traffic patterns to RRAS ports (TCP 1723, UDP 1701)
- Malformed packets targeting RRAS service
SIEM Query:
source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="svchost.exe" AND service_name="RemoteAccess"