CVE-2024-38154
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) without authentication. Attackers can exploit this heap-based buffer overflow to gain SYSTEM privileges on affected systems. Organizations using Windows servers with RRAS enabled are at risk.
💻 Affected Systems
- Windows Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to ransomware deployment, data exfiltration, or creation of backdoors for future attacks.
If Mitigated
Limited impact if RRAS is disabled or properly firewalled, though vulnerable systems remain at risk until patched.
🎯 Exploit Status
CWE-122 indicates heap-based buffer overflow, which typically requires some technical sophistication to exploit reliably.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply latest Windows Server security updates from Microsoft
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38154
Restart Required: Yes
Instructions:
1. Apply Windows Server security updates via Windows Update or WSUS. 2. Restart affected servers. 3. Verify RRAS service is running correctly post-patch.
🔧 Temporary Workarounds
Disable RRAS Service
windowsStop and disable the Routing and Remote Access Service if not required
Stop-Service RemoteAccess
Set-Service RemoteAccess -StartupType Disabled
Block RRAS Ports
windowsBlock network access to RRAS ports (typically TCP 1723, UDP 1701, UDP 500, UDP 4500)
New-NetFirewallRule -DisplayName "Block RRAS" -Direction Inbound -Protocol TCP -LocalPort 1723 -Action Block
New-NetFirewallRule -DisplayName "Block RRAS UDP" -Direction Inbound -Protocol UDP -LocalPort 1701,500,4500 -Action Block
🧯 If You Can't Patch
- Disable RRAS service immediately if not required for business operations
- Implement strict network segmentation and firewall rules to limit RRAS access to trusted networks only
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: Get-Service RemoteAccess | Select Status, StartTypeCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the latest security patches and RRAS service remains functional📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 (failed logon) from RRAS service
- Unexpected process creation from svchost.exe related to RRAS
- Crash logs from RemoteAccess service
Network Indicators:
- Unusual traffic to RRAS ports (1723, 1701, 500, 4500) from unexpected sources
- Malformed packets targeting RRAS service
SIEM Query:
source="windows" AND (service="RemoteAccess" AND (event_id=4625 OR process_create="*powershell*" OR process_create="*cmd*"))