Windows Server at risk from PoC exploit for CVE-2024-38077

Windows[German]Another follow-up to the July 2024 patchday, in which Microsoft closed the vulnerability CVE-2024-38077 in the Windows Remote Desktop Licensing (RDL) service of Windows Server. This is a Remote Code Execution (RCE) vulnerability that has been rated with a CVSS 3.1 score of 9.8. Anyone who has not yet patched should do so immediately. A proof of concept (PoC) for this vulnerability has been published. Although this publication was taken offline again after a few hours, attacks can be expected soon.

Windows Server vulnerability CVE-2024-38077

I checked it, Microsoft has not yet published any details about the vulnerability CVE-2024-38077. The linked CVE post only states that it is a Remote Code Execution vulnerability (RCE) that has been rated as absolutely critical with a CVSS 3.1 score of 9.8.

The vulnerability in the Windows Remote Desktop Licensing (RDL) service allows attacks on the network and requires only a low level of complexity for successful exploitation. Microsoft states that an unauthenticated attacker could connect to the Remote Desktop Licensing service to send a malicious message that could allow remote code execution.

No special privileges are required for exploitation. However, the Windows Remote Desktop Licensing (RDL) service must be enabled (see also the comment below). So far there is probably no exploitation and Microsoft sees a low probability of exploitation. At the same time, Microsoft has released updates for Windows Server versions that are still supported and recommends installing them urgently. I have extracted the patches from July 9, 2024 for the respective server versions below.

So there are security updates available for the above vulnerability, which I have also mentioned in the Patchday posts (see links at the end of the article). There is also the advice to deactivate the Remote Desktop Licensing Service – if it has been activated but is not needed. However, some administrators may not have installed the updates due to various problems mentioned in the links at the end of the article. And it is not possible to deactivate the service. Then these cases run into potential problems.

The Windows Remote Desktop Licensing Service (RDL) is responsible for managing Remote Desktop Services licenses. The service should only be available if Remote Desktop Services (RDS) is installed on the server. However, RDL is then used in many companies. Security researchers have discovered that the RDL services of at least 170,000 instances are accessible via the Internet. These installations are vulnerable to attack, and the fact that the RDL service is often integrated into critical business systems and remote desktop clusters doesn't make it any better.

Proof of Concept (PoC) for CVE-2024-38077

I was startled by the following tweet from Nicolas Krassas. He writes that a 0-click RCE has been published for CVE-2024-38077, which threatens all Windows server systems that are not patched.

Proof of Concept (PoC) for CVE-2024-38077

Security Online has taken up the matter in this blog post after three security researchers managed to create code for a proof-of-concept (PoC) exploit for the critical vulnerability CVE-2024-38077 (MadLicense) and reported it on the Internet. This vulnerability, which allows remote code execution (RCE) before authentication, affects all versions of Windows Server 2000 through 2025 and gives attackers the ability to take complete control of a target server without requiring user interaction.

The vulnerability, known as MadLicense, exploits a simple heap overflow in the CDataCoding::DecodeData procedure. By manipulating user-controlled input, attackers can trigger a buffer overflow that leads to the execution of arbitrary code in the context of the RDL service, it says.

All Windows Server versions at risk

The security researchers mentioned above developed the proof-of-concept (POC) exploit for Windows Server 2025 to demonstrate its exploitability and achieved a success rate of nearly 100%. The exploit effectively bypasses all current protections, including the recently introduced LFH protections in Windows Server 2025, writes Security Online in this blog post.

While the PoC demonstrates the exploitation of the vulnerability on Windows Server 2025, the researchers see that the vulnerability could be exploited faster and more efficiently on older versions of Windows Server, where fewer protections are in place.

Discovery reported, PoC report now offline

The security researchers reported the vulnerability to Microsoft a month before it was published, writes Security Online. Microsoft patched the vulnerability in July 2024, but initially classified the exploitation as "less likely". The suspicion arises that the threats were underestimated.

But the drama unfortunately continues, or rather it gets interesting: The blog post from Security Online was published a few hours ago and I came across the topic overnight. This morning, when I tried to read the whole thing and write a blog post, I was amazed. In the meantime, the Google page where a security researcher explaining the proof-of-concept (POC) exploit has already disappeared again. The associated YouTube video by the security researchers is also no longer available on the Internet. The search engine caches seems also to be cleared.

Conclusion: In my opinion, the hut is on fire and the security researchers have uncovered something that should not (yet) be published. However, I assume that the content of the page [sites.google[.]com/site/zhiniangpeng/blogs/MadLicense] has been read and accessed by interested third parties. It may not be long before the vulnerability is exposed to attacks. For administrators in companies responsible for Windows Server, there are three measures to take:

  • Ensure that the Windows Remote Desktop Licensing (RDL) service is not accessible via the Internet.
  • If the Windows Remote Desktop Licensing Service (RDL) is not required, it should be deactivated.
  • Install the relevant security updates from July 2024 to mitigate the vulnerability.

As it currently stands, it will once again affect systems that are not actively managed when the first exploitation campaigns start. And it puts administrators in trouble who are unable to install the July 2024 updates due to problems such as broken Remote Desktop (see following article links).

Similar articles:
Microsoft Security Update Summary (July 9, 2024)
Patchday: Windows 10/Server Updates (July 9, 2024)
Patchday: Windows 11/Server 2022-Updates (July 9, 2024)
Windows Server 2012 / R2 und Windows 7 (July 9, 2024)

Windows 11 update KB5040442 causes issues with Outlook 2021
Windows July 2024 updates break remote connections
Windows 10/11 updates (e.g. KB5040442) trigger Bitlocker queries (July 2024)
Windows Update July 2024: Are there issues with Radius authentications?
July 2024 security update KB5040427 crashes Windows 10/Server LPD printing service
Microsoft's fixes for various Windows bugs (July 2024)
Windows Patchday news: MSHTML 0-day vulnerability CVE-2024-38112 exploited by malware

This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

2 Responses to Windows Server at risk from PoC exploit for CVE-2024-38077

  1. Jorge M. says:

    Some info for readers:
    https://borncity.eu/win/2024/07/19/workaround-for-broken-windows-remote-desktop-gateway-service-after-july-2024-updates/#comment-17217

    Interesting that article is not on Similar articles, but is very relevant.
    Thank you.

    PS: Install the MS patch. Now! And test the one that Microsoft will publish in a few days at the next Patch Tuesday.

Leave a Reply

Your email address will not be published. Required fields are marked *