CVE-2024-43593
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) by sending specially crafted packets. It affects Windows servers and workstations with RRAS enabled, potentially allowing complete system compromise.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, enabling data theft, ransomware deployment, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to malware installation, credential harvesting, and network reconnaissance from compromised systems.
If Mitigated
Limited impact with proper network segmentation, firewall rules blocking RRAS ports, and endpoint protection detecting exploit attempts.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' and the CVSS score indicates network-accessible, low-complexity attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply latest Windows security updates from Microsoft's July 2024 Patch Tuesday or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43593
Restart Required: Yes
Instructions:
1. Install Windows updates via Windows Update or WSUS. 2. For Server Core, use: wusa.exe <update>.msu /quiet /norestart. 3. Restart system after installation.
🔧 Temporary Workarounds
Disable RRAS Service
windowsStop and disable the Routing and Remote Access Service if not required
sc stop RemoteAccess
sc config RemoteAccess start= disabled
Block RRAS Ports
windowsConfigure firewall to block RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500)
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Disable RRAS service immediately if not required for business operations
- Implement strict network segmentation and firewall rules to isolate RRAS systems from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: sc query RemoteAccess | findstr RUNNING. If running and system lacks July 2024+ Windows updates, it's vulnerable.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains KB5034441 (Windows 10) or equivalent July 2024+ security updates, and RRAS service version is updated.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 (process creation) from svchost.exe hosting RemoteAccess service
- RRAS service crashes or unexpected restarts in System logs
- Unusual network connections to RRAS ports from unexpected sources
Network Indicators:
- Unusual traffic patterns to TCP 1723 or UDP 1701/500/4500
- Malformed packets targeting RRAS ports
- Network scans for RRAS services
SIEM Query:
source="windows" (event_id=4688 AND process_name="svchost.exe" AND service="RemoteAccess") OR (destination_port IN (1723, 1701, 500, 4500) AND protocol="TCP" OR protocol="UDP")