CVE-2024-43564
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) without authentication. Attackers can exploit this heap-based buffer overflow to gain SYSTEM privileges on affected systems. Organizations using Windows servers with RRAS enabled are at risk.
💻 Affected Systems
- Windows Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal credentials, pivot to other systems, and maintain persistent access.
Likely Case
Initial foothold leading to ransomware deployment, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact due to network segmentation, proper patching, and disabled RRAS on non-essential systems.
🎯 Exploit Status
Exploitation requires sending specially crafted packets to RRAS service. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43564
Restart Required: Yes
Instructions:
1. Apply latest Windows Server security updates from Microsoft Update. 2. Restart affected servers. 3. Verify RRAS service is running properly after restart.
🔧 Temporary Workarounds
Disable RRAS Service
windowsTemporarily disable Routing and Remote Access Service if not required
Stop-Service RemoteAccess
Set-Service RemoteAccess -StartupType Disabled
Block RRAS Ports
windowsBlock network access to RRAS ports (typically 1723 for PPTP, 1701 for L2TP)
New-NetFirewallRule -DisplayName "Block RRAS" -Direction Inbound -Protocol TCP -LocalPort 1723,1701 -Action Block
🧯 If You Can't Patch
- Segment RRAS servers from critical network segments using firewalls
- Implement strict network access controls to limit RRAS exposure
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is installed and running: Get-WindowsFeature Routing | Select-Object InstalledCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the relevant security update and RRAS service functions normally📡 Detection & Monitoring
Log Indicators:
- Unusual RRAS service crashes in Event Viewer
- Failed authentication attempts to RRAS
- Suspicious network connections to RRAS ports
Network Indicators:
- Unusual traffic patterns to RRAS ports (1723, 1701)
- Malformed packets targeting RRAS service
SIEM Query:
source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="svchost.exe" AND service_name="RemoteAccess"