CVE-2024-43549
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) by sending specially crafted packets. It affects Windows servers and workstations with RRAS enabled. Attackers could gain SYSTEM-level privileges on vulnerable systems.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling lateral movement, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Initial foothold leading to privilege escalation, credential harvesting, and network reconnaissance for further attacks.
If Mitigated
Limited impact if RRAS is disabled or properly firewalled, with potential for denial-of-service but not full compromise.
🎯 Exploit Status
Based on CWE-121 (Stack-based Buffer Overflow), exploitation requires network access to RRAS service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply latest Windows security updates from Microsoft
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43549
Restart Required: Yes
Instructions:
1. Apply Windows Update via Settings > Update & Security
2. For enterprise: Deploy via WSUS, SCCM, or Microsoft Update Catalog
3. Restart system after patch installation
🔧 Temporary Workarounds
Disable RRAS Service
windowsStop and disable Routing and Remote Access Service if not required
sc stop RemoteAccess
sc config RemoteAccess start= disabled
Block RRAS Ports
windowsFirewall rules to block access to RRAS ports (typically TCP 1723, UDP 1701, UDP 500)
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500
🧯 If You Can't Patch
- Disable RRAS service immediately if not required
- Implement strict network segmentation and firewall rules to isolate RRAS systems
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: sc query RemoteAccess | findstr RUNNINGCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the latest security updates and RRAS service version📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with RRAS process creation
- Unexpected RRAS service crashes in System logs
- Network connections to RRAS ports from unusual sources
Network Indicators:
- Unusual traffic patterns to TCP 1723 or UDP 1701/500
- Malformed packets targeting RRAS service
SIEM Query:
source="windows" AND (event_id=4688 AND process_name="svchost.exe" AND command_line LIKE "%RemoteAccess%") OR (event_id=1000 AND faulting_module LIKE "%ras%")