CVE-2024-38231 – This vulnerability in Windows Remote Desktop Li... (How to Fix)

Q: What is the severity of CVE-2024-38231?

CVE-2024-38231 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Windows Remote Desktop Licensing Service allows attackers to cause a denial of service by sending specially crafted packets. It affects systems running the Remote Desktop Licensing role, potentially disrupting legitimate Remote Desktop connections. Organizations using Windows Server with Remote Desktop Services are primarily affected.

📋 TL;DR

This vulnerability in Windows Remote Desktop Licensing Service allows attackers to cause a denial of service by sending specially crafted packets. It affects systems running the Remote Desktop Licensing role, potentially disrupting legitimate Remote Desktop connections. Organizations using Windows Server with Remote Desktop Services are primarily affected.

💻 Affected Systems

Products:

Windows Server

Versions: Windows Server 2019, Windows Server 2022, Windows Server 2016

Operating Systems: Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Remote Desktop Licensing role installed and running. Workstations and servers without this role are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of Remote Desktop Licensing Service, preventing new Remote Desktop connections from being authorized and potentially disrupting existing sessions.

🟠

Likely Case

Service crashes requiring manual restart, causing temporary disruption to Remote Desktop licensing operations.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls limiting exposure to the licensing service.

🌐 Internet-Facing: MEDIUM - While the service shouldn't be internet-facing, misconfigurations could expose it to external attacks.

🏢 Internal Only: HIGH - The service is typically deployed internally and vulnerable to internal threat actors or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Microsoft describes this as 'exploitation more likely' but no public exploits have been observed. The unauthenticated nature makes it easier to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2024 security updates (KB5040442 for Server 2022, KB5040434 for Server 2019, KB5040430 for Server 2016)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38231

Restart Required: Yes

Instructions:

1. Apply the July 2024 Windows Server security updates from Windows Update. 2. Restart the server to complete installation. 3. Verify the Remote Desktop Licensing Service is running normally.

🔧 Temporary Workarounds

Disable Remote Desktop Licensing Service

windows

Temporarily stop and disable the vulnerable service if not actively needed

Stop-Service -Name TermServLicensing
Set-Service -Name TermServLicensing -StartupType Disabled

Network Segmentation

windows

Restrict network access to the licensing service port (TCP 135, 445, 3389)

New-NetFirewallRule -DisplayName "Block RD Licensing" -Direction Inbound -Protocol TCP -LocalPort 135,445,3389 -Action Block

🧯 If You Can't Patch

Implement strict network access controls to limit which systems can communicate with the Remote Desktop Licensing Service
Monitor the TermServLicensing service for crashes and implement automated restart procedures

🔍 How to Verify

Check if Vulnerable:

Check if Remote Desktop Licensing role is installed: Get-WindowsFeature -Name RDS-Licensing. Check OS version: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify July 2024 updates are installed: Get-HotFix -Id KB5040442, KB5040434, or KB5040430. Check service status: Get-Service TermServLicensing

📡 Detection & Monitoring

Log Indicators:

Event ID 7034 in System logs indicating TermServLicensing service terminated unexpectedly
Multiple service crash events in short time period

Network Indicators:

Unusual traffic patterns to TCP ports 135, 445, or 3389 from unexpected sources
Multiple connection attempts to licensing service

SIEM Query:

source="windows" event_id=7034 service_name="TermServLicensing"

📊 Metadata

CVE ID: CVE-2024-38231

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-285

Published: September 10, 2024

Last Updated: September 17, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38231 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38231, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Remote Desktop Licensing Service

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities