CVE-2024-43611
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) by sending specially crafted packets. It affects Windows servers and workstations with RRAS enabled, potentially allowing complete system compromise.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, enabling data theft, ransomware deployment, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to system takeover, credential harvesting, and network reconnaissance from compromised RRAS servers.
If Mitigated
Limited impact if RRAS is disabled or properly firewalled, with potential for denial of service but not code execution.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' and the vulnerability requires no authentication, making it attractive to attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply latest Windows security updates from October 2024 or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43611
Restart Required: Yes
Instructions:
1. Apply Windows security updates via Windows Update or WSUS. 2. For Server Core, use: wusa.exe <update>.msu /quiet /norestart. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable RRAS Service
windowsStop and disable the Routing and Remote Access Service if not required
sc stop RemoteAccess
sc config RemoteAccess start= disabled
Block RRAS Ports
windowsFirewall blocking of RRAS network ports (TCP 1723, UDP 1701, UDP 500, UDP 4500)
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Disable RRAS service immediately on all affected systems
- Implement strict network segmentation and firewall rules to isolate RRAS servers from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: sc query RemoteAccess | findstr RUNNING. If running and system is unpatched, it's vulnerable.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains October 2024 security updates and RRAS service can be restarted without issues.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with RRAS process creation, unexpected RRAS service restarts, Windows Security logs with exploit patterns
Network Indicators:
- Unusual traffic to RRAS ports (1723, 1701, 500, 4500) from unexpected sources, malformed VPN/RAS packets
SIEM Query:
source="windows" (event_id=4688 AND process_name="*svchost*" AND command_line="*RemoteAccess*") OR (event_id=7036 AND service_name="RemoteAccess" AND NOT (status="stopped" OR status="started normally"))