CVE-2024-49104
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) without authentication. It affects Windows servers and workstations with RRAS enabled, potentially allowing complete system compromise. The vulnerability stems from a heap-based buffer overflow (CWE-122) in the RRAS component.
💻 Affected Systems
- Windows Server
- Windows Client
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with SYSTEM privileges, enabling lateral movement, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Remote code execution leading to malware installation, credential theft, and network reconnaissance from compromised systems.
If Mitigated
Limited impact if RRAS is disabled or network access is restricted, though vulnerable systems remain at risk if exposed.
🎯 Exploit Status
Exploitation requires sending specially crafted packets to the RRAS service. The CVSS score of 8.8 indicates high severity with network-accessible attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the latest Windows security updates from Microsoft's October 2024 Patch Tuesday or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49104
Restart Required: Yes
Instructions:
1. Open Windows Update settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Disable RRAS Service
windowsDisables the Routing and Remote Access Service if not required
sc config RemoteAccess start= disabled
net stop RemoteAccess
Block RRAS Ports
windowsBlocks network access to RRAS ports using Windows Firewall
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=any localport=1701,1723,47 program="%SystemRoot%\system32\svchost.exe" service="RemoteAccess"
netsh advfirewall firewall add rule name="Block RRAS Outbound" dir=out action=block protocol=any localport=1701,1723,47 program="%SystemRoot%\system32\svchost.exe" service="RemoteAccess"
🧯 If You Can't Patch
- Disable RRAS service immediately if not required for business operations
- Implement strict network segmentation and firewall rules to block access to RRAS ports (1701, 1723, 47) from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: sc query RemoteAccess | findstr "RUNNING"Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the October 2024 security updates and RRAS service is either disabled or patched📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 (failed logon) from RRAS service
- Event ID 4688 (process creation) with unusual parent processes
- Windows Security logs showing unexpected RRAS service activity
Network Indicators:
- Unusual traffic to RRAS ports (1701, 1723, 47) from external sources
- Malformed packets targeting RRAS service
SIEM Query:
source="windows" (event_id=4625 OR event_id=4688) AND process_name="svchost.exe" AND service="RemoteAccess"