CVE-2024-38076

Heap-based Buffer Overflow (CWE-122)

Published: Jul 9, 2024

010
CVSS 9.8EPSS 0.09%Critical
CVE info copied to clipboard

Summary

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability. This is a critical vulnerability with a CVSS base score of 9.8. It affects the Windows Remote Desktop Licensing Service and allows for remote code execution. The vulnerability is characterized by high impact on confidentiality, integrity, and availability. It can be exploited over the network, requires no user interaction, and needs no privileges for exploitation.

Impact

This vulnerability could allow an attacker to execute arbitrary code on the target system remotely. Given the high impact on confidentiality, integrity, and availability, an attacker could potentially gain full control of the affected system, access sensitive information, modify or delete data, and disrupt system operations. The attack vector being network-based with no user interaction required makes this vulnerability particularly dangerous, as it could be exploited without user awareness.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability on July 9, 2024.

Mitigation

1. Apply the official patch released by Microsoft immediately. 2. If immediate patching is not possible, consider temporarily disabling the Windows Remote Desktop Licensing Service until the patch can be applied. 3. Implement network segmentation to limit exposure of systems running the vulnerable service. 4. Monitor for suspicious activities related to the Windows Remote Desktop Licensing Service. 5. Ensure that only necessary ports and services are exposed to the network. 6. Implement strong authentication mechanisms for remote access. 7. Keep all Windows systems and software up to date with the latest security patches.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92149)

Jul 9, 2024 at 7:53 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38076

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38076. See article

Jul 9, 2024 at 5:17 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 9, 2024 at 5:25 PM
Trending

This CVE started to trend in security discussions

Jul 9, 2024 at 6:59 PM
EPSS

EPSS Score was set to: 0.09% (Percentile: 39.4%)

Jul 10, 2024 at 10:14 AM
Trending

This CVE stopped trending in security discussions

Jul 12, 2024 at 7:36 PM
Threat Intelligence Report

CVE-2024-38076 is a critical vulnerability in the Windows Remote Desktop Licensing Service that allows for remote code execution. It has a CVSS score of [insert score here]. The vulnerability is currently being exploited in the wild by [insert threat actor], and there are no known mitigations or patches available at this time. See article

Jul 17, 2024 at 9:13 AM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_server_2019
+null more

Patches

Microsoft
+null more

Attack Patterns

CAPEC-92: Forced Integer Overflow
+null more

References

CVE-2024-38077 : A Zero-Click RCE Threat In Windows Server 2025
These vulnerabilities can be used to build multiple Preauth RCE exploitations targeting the Windows Remote Desktop Licensing Service. Among them were several Preauth RCE vulnerabilities (Unauthenticated non-sandboxed 0-click RCE) in the Remote Desktop Licensing Service.
July 2024 Threat Advisory – Top 5
SecurityHQ has observed a newly discovered critical remote code execution vulnerability (CVE-2024-6387) affecting OpenSSH servers on glibc-based Linux systems. Microsoft has released its Patch Tuesday for July 2024, with security updates for 139 flaws with 59 Remote Code Execution Vulnerabilities.

News

July 2024 Patch Tuesday: Two Zero-Days and Five Critical Vulnerabilities Amid 142 CVEs
The Windows MSHTML Platform received a patch for CVE-2024-38112, which has a severity of Important and a CVSS score of 7.5 . Severity CVSS Score CVE Description Important 7.5 CVE-2024-38112 Windows MSHTML Platform Spoofing Vulnerability
CVE-2024-38077 : A Zero-Click RCE Threat In Windows Server 2025
These vulnerabilities can be used to build multiple Preauth RCE exploitations targeting the Windows Remote Desktop Licensing Service. Among them were several Preauth RCE vulnerabilities (Unauthenticated non-sandboxed 0-click RCE) in the Remote Desktop Licensing Service.
CVE-2024-38077.md
from impacket.dcerpc.v5.dtypes import BOOL,ULONG, DWORD, PULONG, PWCHAR, PBYTE, WIDESTR, UCHAR, WORD, BBYTE, LPSTR, PUINT, WCHAR These vulnerabilities can be used to build multiple Preauth RCE exploitations targeting the Windows Remote Desktop Licensing Service.
AT&T Suffers Major Breach, APT40 Prompts CISA Advisory, CyberCrime Kingpin Jailed, and more
Despite some reports suggesting that Snowflake itself was breached, Mandiant has clarified that the breaches they investigated were due to threat actors obtaining the login credentials of Snowflake customers, not staff, via infostealers. Currently the attacks seem to be mostly cryptocurrency focused, with threat actors hijacking and redirecting Web3 based domains, then trying to phish users for their wallet details.
@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 28 - SANS Institute
Product: Automattic Newspack Blocks CVSS Score: 9.9 NVD: NVD References: CVE-2024-39872 - SINEMA Remote Connect Server (All versions < V3.2 SP1) allows authenticated attackers with the 'Manage firmware updates' role to escalate privileges via improper assignment of rights to temporary files. Product: WordPress Gutenberg Forms plugin CVSS Score: 9.8 NVD: NVD References: - - - CVE-2024-6314 - The IQ Testimonials plugin for WordPress allows unauthenticated attackers to upload arbitrary files and potentially execute remote code due to insufficient file validation, in versions up to 2.2.7, only if the 'gd' PHP extension is not loaded.
See 64 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI