CVE-2024-38240

Q: What is the severity of CVE-2024-38240?

CVE-2024-38240 has a CVSS score of 8.1 (HIGH). This vulnerability allows an authenticated attacker to elevate privileges on Windows systems by exploiting a flaw in the Remote Access Connection Manager service. Attackers could gain SYSTEM-level access, potentially taking full control of affected machines. This affects Windows systems with the vulnerable service enabled.

8.1 HIGH

📋 TL;DR

This vulnerability allows an authenticated attacker to elevate privileges on Windows systems by exploiting a flaw in the Remote Access Connection Manager service. Attackers could gain SYSTEM-level access, potentially taking full control of affected machines. This affects Windows systems with the vulnerable service enabled.

💻 Affected Systems

Products:

Windows Remote Access Connection Manager

Versions: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Remote Access Connection Manager service to be running. This service is typically enabled by default on many Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistence establishment.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional tools, and access sensitive system resources.

🟢

If Mitigated

Limited impact if proper access controls, network segmentation, and monitoring are in place to detect and contain privilege escalation attempts.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring authenticated access to the target system.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a Windows system, they can exploit this to elevate privileges and move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to the target system. The vulnerability involves improper bounds checking (CWE-125) that could lead to memory corruption and privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the latest Windows security updates from Microsoft's July 2024 Patch Tuesday or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38240

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart the system when prompted.

🔧 Temporary Workarounds

Disable Remote Access Connection Manager Service

windows

Disables the vulnerable service if not required for business operations

sc config RasMan start= disabled
sc stop RasMan

Restrict Service Permissions

windows

Limit which users can interact with the service

sc sdset RasMan D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

🧯 If You Can't Patch

Implement strict access controls and limit user privileges to reduce attack surface
Enable enhanced monitoring and logging for privilege escalation attempts and service manipulation

🔍 How to Verify

Check if Vulnerable:

Check if the system has the July 2024 Windows security updates installed. Systems without these updates are vulnerable.

Check Version:

wmic qfe list | findstr KB5039211

Verify Fix Applied:

Verify the Windows Update history shows installation of KB5039211 (or later) and that the system has been restarted.

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with process creation from RasMan service
Unexpected privilege escalation events
Service manipulation logs in Windows Event Log

Network Indicators:

Unusual outbound connections following local privilege escalation
Lateral movement attempts from previously compromised hosts

SIEM Query:

EventID=4688 AND (NewProcessName LIKE '%RasMan%' OR ParentProcessName LIKE '%RasMan%')

📊 Metadata

CVE ID: CVE-2024-38240

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: September 10, 2024

Last Updated: September 17, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38240 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Remote Access Connection Manager Service

Restrict Service Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities