Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-38068

CVE-2024-38068: Windows 10 1507 OCSP DoS Vulnerability

CVE-2024-38068 is a denial of service vulnerability affecting Windows Online Certificate Status Protocol (OCSP) Server in Windows 10 1507. This article covers technical details, affected versions, security impact, and mitigation.

Published:

CVE-2024-38068 Overview

CVE-2024-38068 is a denial of service vulnerability affecting the Windows Online Certificate Status Protocol (OCSP) Server component across multiple Microsoft Windows client and server editions. The flaw allows a remote, unauthenticated attacker to send specially crafted network requests that exhaust resources on the targeted OCSP service. Successful exploitation disrupts certificate revocation status responses, which can impact authentication flows and applications that depend on OCSP for certificate validation. The vulnerability is tracked under [CWE-400] Uncontrolled Resource Consumption.

Critical Impact

A remote unauthenticated attacker can disable Windows OCSP Server responses, breaking certificate revocation checks and degrading services that rely on PKI validation.

Affected Products

  • Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2) and Windows 11 (21H2, 22H2, 23H2)
  • Microsoft Windows Server 2008 SP2, Server 2008 R2 SP1, Server 2012, Server 2012 R2
  • Microsoft Windows Server 2016, 2019, 2022, and Server 2022 23H2

Discovery Timeline

  • 2024-07-09 - CVE-2024-38068 published to NVD
  • 2024-07-09 - Microsoft releases security update for CVE-2024-38068
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-38068

Vulnerability Analysis

The vulnerability resides in the Windows OCSP Server role, a component of Active Directory Certificate Services (AD CS) that responds to certificate revocation status queries. The service processes OCSP requests over HTTP without adequately constraining resource consumption during request handling. An attacker reaches the service across the network without credentials or user interaction. Repeated or malformed requests drive the server into resource exhaustion, halting legitimate revocation responses.

The attack does not compromise confidentiality or integrity. Availability is the sole impact, but the downstream effect is broad: relying parties that perform OCSP checks may fail closed or experience authentication delays. Environments running enterprise PKI for smart card logon, code signing validation, or TLS client certificate authentication are most exposed.

EPSS data places exploitation probability at 2.538% with a percentile of 82.99, indicating elevated relative likelihood compared to the broader CVE population.

Root Cause

The root cause is uncontrolled resource consumption [CWE-400] within the OCSP responder's request processing path. The service does not sufficiently limit the work performed per inbound request or throttle abusive request patterns, allowing a low-volume attacker to consume disproportionate CPU and memory.

Attack Vector

Exploitation occurs over the network against the HTTP endpoint exposed by the Online Responder role. No authentication, privileges, or user interaction are required. An attacker who can reach the OCSP URL published in issued certificates can send crafted requests to trigger the denial of service condition. Public-facing OCSP responders and internal responders accessible to compromised hosts are both viable targets.

No public proof-of-concept code or exploit has been published for CVE-2024-38068. See the Microsoft Security Update Guide for vendor-supplied technical details.

Detection Methods for CVE-2024-38068

Indicators of Compromise

  • Sustained spikes in CPU or memory utilization on servers hosting the Active Directory Certificate Services Online Responder role.
  • Elevated request rates or anomalous request patterns against the OCSP HTTP endpoint (typically /ocsp) in IIS logs.
  • Increased OCSP response timeouts and failures reported by relying parties, smart card logon, or TLS handshakes.

Detection Strategies

  • Monitor Windows Event Logs for the OnlineResponder and OnlineResponderSvc sources for errors, restarts, or service unavailability messages.
  • Correlate IIS access logs from the OCSP virtual directory against baseline request volumes to identify volumetric or low-and-slow abuse.
  • Alert when certificate validation failures on dependent services increase concurrently with OCSP responder degradation.

Monitoring Recommendations

  • Track availability and latency of the OCSP responder endpoint with synthetic probes from internal and external vantage points.
  • Capture network telemetry at perimeter and internal segments to identify unauthenticated sources sending high request volumes to OCSP URLs.
  • Maintain inventory of all servers with the Online Responder role installed and confirm patch state on each Patch Tuesday cycle.

How to Mitigate CVE-2024-38068

Immediate Actions Required

  • Apply the July 2024 Microsoft security updates referenced in the Microsoft Security Update Guide for CVE-2024-38068 to all affected Windows client and server builds.
  • Inventory servers running the Active Directory Certificate Services Online Responder role and prioritize patching of internet-facing instances.
  • Validate that load balancers and reverse proxies fronting OCSP endpoints enforce rate limiting and connection caps.

Patch Information

Microsoft released fixes on July 9, 2024 as part of the monthly security update cycle. Updates are available for Windows 10 (1507, 1607, 1809, 21H2, 22H2), Windows 11 (21H2, 22H2, 23H2), and Windows Server 2008 SP2 through Server 2022 23H2. Refer to the vendor advisory for KB article numbers matching each build.

Workarounds

  • Restrict network access to the OCSP responder so only required relying parties can reach the endpoint, where business requirements permit.
  • Deploy rate limiting at IIS, Web Application Firewall, or upstream load balancer to cap inbound requests per source IP against the /ocsp path.
  • Distribute OCSP load across multiple Online Responder instances behind a load balancer to reduce single-host impact during abuse.
bash
# Example IIS request rate limiting via Dynamic IP Restrictions on the OCSP site
appcmd set config "Default Web Site/ocsp" -section:system.webServer/security/dynamicIpSecurity /denyByRequestRate.enabled:true /denyByRequestRate.maxRequests:100 /denyByRequestRate.requestIntervalInMilliseconds:1000 /commit:apphost

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.