Date of Disclosure: August 12, 2024
CVE-ID and CVSS Score: CVE-2024-38077: CVSS 9.8
Issue Name and Description: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
Asset Description: Windows Remote Desktop Licensing Service is a crucial component of Remote Desktop Services (RDS) in Windows Server environments. It manages the licensing for users and devices that connect to Remote Desktop Session Hosts (RD Session Hosts).
Vulnerability Impact: A threat actor could exploit this vulnerability to execute arbitrary code on the affected Windows Remote Desktop Licensing Service instances, potentially leading to complete system compromise, data theft, and unauthorized access to sensitive information.
Exploitation Details: The vulnerabilities stem from heap overflow flaws in Windows Remote Desktop Licensing Service. An attacker could send a malicious message that is then executed on the server, allowing for remote code execution.
There are several PoCs published on GitHub.
Patch Availability: Microsoft has released patches to address this vulnerability. Instances should be updated immediately to the latest patched version.
Censys Perspective:
At the time of writing, Censys observes 79,000 exposed devices online.
To identify potentially vulnerable non-hosted Windows Remote Desktop Licensing Service instances, the following Censys queries can be used:
- Censys Search Query: services.parsed.dcerpc.endpoints.explained_uuid=”3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0″
- Censys ASM Query: host.services.parsed.dcerpc.endpoints.explained_uuid=”3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0″
- Censys ASM Risk Query: risks.name=”Windows Remote Desktop Licensing Service RCE Vulnerability [CVE-2024-38077]”
References:
