Alert essentials:
A proof-of-concept was released for a critical remote code execution that allows complete server compromise without user interaction.
Patches have been released; deploy immediately!
Detailed threat description:
Researchers released a pseudocode proof-of-concept exploit on a pre-authentication vulnerability impacting all Windows servers from 2000 to the 2025 preview.
Originating from a heap buffer overflow in a decode data function, the zero-click vulnerability is in the Windows Remote Desktop Licensing (RDL) service of Windows Server. Skilled bad actors can use the license to load a remote DLL, allowing hackers to execute arbitrary code with the service’s permissions.
Even worse, with a few code changes to the exploit, attackers could execute arbitrary shellcodes within the RDL process. Pseudocode is described as distinct steps presented in a way that is easy for a coder or programmer to replicate.
Further expressing the need for patching, widespread attacks are predicted with over 170,000 licenses exposed to the internet. Organizations are strongly advised to prioritize the immediate update of their Windows Server systems.
If updates cannot be deployed immediately, disable the service if it is no longer needed on the system. Disabling unused and unneeded services will help reduce your exposure to security vulnerabilities.
Impacts on healthcare organizations:
More and more hospitals are experiencing cyber events because of their broad attack surfaces. Interconnecting technologies make it easy for cybercriminals to find and exploit vulnerabilities for financial gain. With the risk of exposing patient data and the entire healthcare system, cyber hygiene must be essential to every functioning network.
Compliance is essential, but compliance does not equal cybersecurity. Hospitals should set their target level of cybersecurity beyond the requirements of current regulations and policies.
Affected products / versions:
CVE
CVE-2024-38077
KBs
KB5040485: Windows Server 2012 Security Update (July 2024)
KB5040498: Windows Server 2008 R2 Security Update (July 2024)
KB5040437: Windows Server 2022 / Azure Stack HCI 22H2 Security Update (July 2024)
KB5040490: Windows Server 2008 Security Update (July 2024)
KB5040434: Windows 10 Version 1607 / Windows Server 2016 Security Update (July 2024)
KB5040430: Windows 10 version 1809 / Windows Server 2019 Security Update (July 2024)
KB5040438: Windows 11 version 22H2 / Windows Server version 23H2 Security Update (July 2024)
KB5040456: Windows Server 2012 R2 Security Update (July 2024)
Recommendations
Engineering recommendations:
- Prioritize deployment of July 2024 patches.
- To reduce the attack surface, administrators should consider implementing additional security measures, such as network segmentation and strict access controls.
- Review privileges at the application level to identify where exploitation leads to the adoption of the service or application at a heightened level.
Leadership / Program recommendations:
- This information was responsibly released to draw attention to the flaw and to remind users to update systems. However, rapid exploitation is expected.
- Make sure policies represent cybersecurity needs, especially when the priority for patching or changes needs to be swifter than current policies and processes may permit.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Patches: CVE-2024-38077 – Security Update Guide – Microsoft – Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
- Remote Desktop License Guidance: Guidance for troubleshooting RDS Licensing – Windows Server | Microsoft Learn
- Release: https://github.com/CloudCrowSec001/CVE-2024-38077-POC/blob/main/CVE-2024-38077.md