CVE-2024-38130
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) without authentication. Attackers can exploit this heap-based buffer overflow to gain SYSTEM privileges on affected systems. Organizations using Windows servers with RRAS enabled are at risk.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, and maintain persistent access.
Likely Case
Initial foothold leading to ransomware deployment, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring that detects exploitation attempts.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' due to the unauthenticated nature and potential for remote code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2024 security updates (KB5040442 for Windows 11, KB5040437 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38130
Restart Required: Yes
Instructions:
1. Apply the July 2024 Windows security updates from Microsoft Update or WSUS. 2. Restart affected systems to complete installation. 3. Verify patch installation via Windows Update history.
🔧 Temporary Workarounds
Disable RRAS Service
windowsTemporarily disable the Routing and Remote Access Service if not required.
sc config RemoteAccess start= disabled
net stop RemoteAccess
Block RRAS Ports
allBlock network access to RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500) at firewalls.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RRAS servers from critical assets
- Deploy intrusion detection/prevention systems to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: 'sc query RemoteAccess' and verify Windows version is unpatched.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2024 security updates are installed via 'systeminfo' or Windows Update history.📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 (failed logon) from RRAS service
- Unexpected process creation from svchost.exe related to RemoteAccess service
- Crash logs from rassrv.dll
Network Indicators:
- Unusual traffic patterns to RRAS ports (1723, 1701, 500, 4500)
- Malformed packets targeting RRAS service
SIEM Query:
source="windows" AND (event_id=4625 AND service_name="RemoteAccess") OR (process_name="svchost.exe" AND parent_process="services.exe" AND cmdline="*RemoteAccess*")