CVE-2024-38091 Overview
CVE-2024-38091 is a denial of service vulnerability in the Microsoft WS-Discovery (Web Services Dynamic Discovery) protocol implementation on Windows. An unauthenticated remote attacker can send specially crafted network traffic to a vulnerable host and exhaust service availability. The flaw affects a broad range of supported Windows client and server releases, including Windows 10, Windows 11, and Windows Server 2008 through Windows Server 2022 23H2. Microsoft addressed the issue in the July 2024 Patch Tuesday release.
Critical Impact
An unauthenticated network attacker can disrupt the availability of the WS-Discovery service on affected Windows systems, with an EPSS probability of 11.055% (93.5 percentile) indicating elevated exploitation likelihood.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2, 23H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-07-09 - CVE-2024-38091 published to NVD and addressed in Microsoft's July 2024 security updates
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-38091
Vulnerability Analysis
The vulnerability resides in the Windows implementation of WS-Discovery, a multicast SOAP-over-UDP protocol used for locating services on local networks. The flaw is categorized as Improper Handling of Missing Special Element [CWE-166], which indicates that the service mishandles malformed or incomplete protocol elements during message parsing. An attacker sends crafted WS-Discovery probe or resolve messages that trigger the faulty handler, causing the service to enter an unrecoverable state.
The issue is purely an availability flaw. Confidentiality and integrity are not affected, but the targeted service stops responding to legitimate discovery requests. WS-Discovery is commonly enabled on networked printers, cameras, and Windows hosts running discoverable services, making this a useful disruption primitive on enterprise LANs.
Root Cause
The root cause is improper input validation when the WS-Discovery component parses SOAP envelopes that omit required XML elements. The handler fails to verify the presence of expected fields before dereferencing or processing them, resulting in an exception or fault condition that terminates message processing.
Attack Vector
Exploitation requires only network reachability to UDP port 3702, the standard WS-Discovery multicast endpoint. No authentication, user interaction, or prior foothold is required. Because WS-Discovery operates over multicast (239.255.255.250), a single malicious packet can affect multiple listening hosts on the same broadcast domain.
No public proof-of-concept is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The vulnerability is described in prose only as no verified exploit code has been released. Refer to the Microsoft Security Update CVE-2024-38091 advisory for vendor technical details.
Detection Methods for CVE-2024-38091
Indicators of Compromise
- Unexpected termination or repeated restarts of the fdPHost or WS-Discovery related services on Windows endpoints.
- Inbound UDP traffic to port 3702 from non-trusted network segments or external sources.
- Malformed SOAP envelopes in WS-Discovery probe/resolve messages captured in network telemetry.
Detection Strategies
- Inspect UDP/3702 traffic with network monitoring tools and flag packets containing truncated or malformed SOAP XML structures.
- Correlate Windows Service Control Manager events (Event ID 7031, 7034) with spikes in WS-Discovery traffic on the same host.
- Baseline normal WS-Discovery volume per VLAN and alert on sudden bursts of probe/resolve messages from a single source.
Monitoring Recommendations
- Enable network flow logging on segments where WS-Discovery is permitted and retain captures for forensic review.
- Monitor Windows event logs for repeated WS-Discovery service crashes and tie alerts to the source IP of recent multicast traffic.
- Track patch compliance for the July 2024 cumulative updates across all Windows 10, Windows 11, and Windows Server hosts.
How to Mitigate CVE-2024-38091
Immediate Actions Required
- Apply the July 2024 Microsoft security updates referenced in the Microsoft Security Update CVE-2024-38091 advisory to all affected Windows builds.
- Inventory hosts with WS-Discovery enabled and prioritize patching of servers and management endpoints.
- Restrict UDP/3702 ingress at perimeter and inter-VLAN firewalls so multicast discovery traffic does not traverse untrusted boundaries.
Patch Information
Microsoft released fixes for CVE-2024-38091 as part of the July 9, 2024 security update cycle. Each affected Windows version has a dedicated cumulative or monthly rollup update listed in the vendor advisory. Administrators should consult the Microsoft Security Update Guide to identify the correct KB article for each build and deploy through Windows Update, WSUS, or Microsoft Update Catalog.
Workarounds
- Disable the Function Discovery Resource Publication service (fdPHost) and Function Discovery Provider Host service on hosts that do not require network discovery.
- Block inbound UDP port 3702 at host-based firewalls for systems that do not need to participate in WS-Discovery.
- Segment IoT and printer networks that rely on WS-Discovery from general user and server VLANs to limit blast radius.
# Disable Function Discovery services on hosts that do not need WS-Discovery
sc.exe config fdPHost start= disabled
sc.exe config FDResPub start= disabled
sc.exe stop fdPHost
sc.exe stop FDResPub
# Block inbound WS-Discovery traffic at the Windows firewall
netsh advfirewall firewall add rule name="Block WS-Discovery UDP 3702" \
dir=in action=block protocol=UDP localport=3702
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
