CVE-2024-43467
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running the Remote Desktop Licensing Service. Attackers can exploit this without authentication to gain SYSTEM privileges on affected servers. Organizations using Windows Remote Desktop Services with licensing enabled are primarily affected.
💻 Affected Systems
- Windows Remote Desktop Licensing Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges leading to data theft, ransomware deployment, lateral movement across the network, and persistent backdoor installation.
Likely Case
Initial foothold for attackers to establish persistence, deploy malware, and move laterally within the network to compromise additional systems.
If Mitigated
Limited impact due to network segmentation and proper access controls, potentially resulting in isolated service disruption but preventing lateral movement.
🎯 Exploit Status
Microsoft has rated this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and has low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2024 security updates (KB5037765 for Windows Server 2022, KB5037768 for Windows Server 2019, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43467
Restart Required: Yes
Instructions:
1. Apply the May 2024 Windows security updates from Microsoft Update Catalog. 2. Restart affected systems. 3. Verify the patch is installed via Windows Update history or system information.
🔧 Temporary Workarounds
Disable Remote Desktop Licensing Service
windowsStop and disable the vulnerable service if not required for operations
sc stop TermServLicensing
sc config TermServLicensing start= disabled
Block RPC port 135
windowsBlock incoming connections to the RPC endpoint mapper port used by the service
netsh advfirewall firewall add rule name="Block RPC 135" dir=in action=block protocol=TCP localport=135
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Remote Desktop Licensing servers from critical assets
- Apply principle of least privilege and monitor for suspicious service activity
🔍 How to Verify
Check if Vulnerable:
Check if Remote Desktop Licensing Service is running and if May 2024 security updates are not installedCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5037765 (Server 2022), KB5037768 (Server 2019), or equivalent May 2024 updates are installed📡 Detection & Monitoring
Log Indicators:
- Unexpected TermServLicensing service crashes
- Suspicious process creation from svchost.exe
- Unusual network connections from licensing service
Network Indicators:
- Anomalous RPC traffic to port 135 from external sources
- Unexpected outbound connections from licensing server
SIEM Query:
source="windows" AND (event_id=7034 OR event_id=4688) AND process_name="TermServLicensing"