CVE-2024-38263 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-38263?

CVE-2024-38263 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Windows systems running the Remote Desktop Licensing Service. Attackers can exploit this without authentication to gain SYSTEM privileges on affected servers. Organizations using Windows Remote Desktop Services with licensing enabled are primarily affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows systems running the Remote Desktop Licensing Service. Attackers can exploit this without authentication to gain SYSTEM privileges on affected servers. Organizations using Windows Remote Desktop Services with licensing enabled are primarily affected.

💻 Affected Systems

Products:

Windows Remote Desktop Licensing Service

Versions: Windows Server 2019, Windows Server 2022, Windows 11, Windows 10

Operating Systems: Windows Server 2019, Windows Server 2022, Windows 11, Windows 10

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Remote Desktop Licensing role installed and service running. The service typically runs on TCP port 1352.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges leading to complete control of the server, lateral movement within the network, and potential data exfiltration.

🟠

Likely Case

Remote code execution leading to malware deployment, ransomware installation, or creation of persistent backdoors on vulnerable servers.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and monitoring that detects exploitation attempts.

🌐 Internet-Facing: HIGH - The service can be exposed to the internet for licensing purposes, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this vulnerability to move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and has low attack complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2024 security updates (KB5040442 for Windows 10/11, KB5040434 for Server 2019, KB5040431 for Server 2022)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38263

Restart Required: Yes

Instructions:

1. Apply July 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable Remote Desktop Licensing Service

windows

Stop and disable the vulnerable service if not required for operations.

sc stop TermServLicensing
sc config TermServLicensing start= disabled

Block network access to licensing service

windows

Use firewall rules to restrict access to TCP port 1352.

netsh advfirewall firewall add rule name="Block RD Licensing" dir=in action=block protocol=TCP localport=1352

🧯 If You Can't Patch

Implement strict network segmentation to isolate Remote Desktop Licensing servers
Deploy intrusion detection/prevention systems to monitor for exploitation attempts on port 1352

🔍 How to Verify

Check if Vulnerable:

Check if Remote Desktop Licensing Service is installed and running: sc query TermServLicensing

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify July 2024 security updates are installed: wmic qfe list | findstr "KB5040442 KB5040434 KB5040431"

📡 Detection & Monitoring

Log Indicators:

Event ID 4625 failed logons to RD Licensing service
Unexpected service crashes (Event ID 1000, 1001)
New processes spawned from TermServLicensing.exe

Network Indicators:

Unusual traffic patterns to TCP port 1352
Connection attempts from unexpected IP addresses to licensing service

SIEM Query:

source="windows" AND (event_id=4625 AND service_name="TermServLicensing" OR process_name="TermServLicensing.exe" AND parent_process!="services.exe")

📊 Metadata

CVE ID: CVE-2024-38263

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-591

Published: September 10, 2024

Last Updated: September 13, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38263 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38263, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Remote Desktop Licensing Service

Block network access to licensing service

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities