CVE-2024-43589
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) by sending specially crafted packets. It affects Windows servers and workstations with RRAS enabled. Attackers could gain SYSTEM-level privileges on vulnerable systems.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal credentials, pivot to other systems, and maintain persistent access.
Likely Case
Initial foothold leading to ransomware deployment, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if network segmentation isolates RRAS servers and proper access controls are in place.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2024 security updates (KB5037771 for Windows 11, KB5037765 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43589
Restart Required: Yes
Instructions:
1. Apply May 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable RRAS Service
windowsStop and disable the Routing and Remote Access Service if not required
sc stop RemoteAccess
sc config RemoteAccess start= disabled
Block RRAS Ports
windowsBlock network access to RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500)
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Network segmentation: Isolate RRAS servers from critical assets and internet
- Implement strict firewall rules to limit RRAS access to trusted IPs only
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: 'sc query RemoteAccess' and verify Windows version is unpatchedCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2024 security updates are installed via 'systeminfo' or 'Get-HotFix -Id KB5037771' (adjust KB number for your OS)📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with RRAS process creation
- Unusual network connections to RRAS ports
- Failed authentication attempts to RRAS
Network Indicators:
- Unusual traffic patterns to TCP 1723 or UDP 1701/500/4500
- Malformed packets to RRAS ports
SIEM Query:
source="windows" AND (event_id=4688 AND process_name="svchost.exe" AND command_line="*RemoteAccess*") OR (destination_port IN (1723, 1701, 500, 4500) AND protocol="TCP/UDP")