CVE-2024-38120: Windows Server 2008 RRAS RCE Vulnerability

CVE-2024-38120 Overview

CVE-2024-38120 is a remote code execution vulnerability in the Windows Routing and Remote Access Service (RRAS). Microsoft published the advisory on August 13, 2024 as part of the August Patch Tuesday release. The flaw is classified as a heap-based buffer overflow [CWE-122] and affects supported Windows Server releases from Server 2008 through Server 2022 23H2.

An attacker can exploit the issue over the network when a user on the target system interacts with attacker-controlled input. Successful exploitation results in full compromise of confidentiality, integrity, and availability on the affected host.

Critical Impact

Network-adjacent attackers can execute arbitrary code on Windows Servers running RRAS, achieving full system compromise when a user interaction trigger is satisfied.

Affected Products

• Microsoft Windows Server 2008 SP2 and Server 2008 R2 SP1
• Microsoft Windows Server 2012 and Server 2012 R2
• Microsoft Windows Server 2016, Server 2019, Server 2022, and Server 2022 23H2

Discovery Timeline

• 2024-08-13 - CVE-2024-38120 published to the National Vulnerability Database
• 2024-08-13 - Microsoft published security advisory and patch via Patch Tuesday
• 2024-08-16 - Last updated in NVD database

Technical Details for CVE-2024-38120

Vulnerability Analysis

The vulnerability resides in the Windows Routing and Remote Access Service (RRAS), a Windows Server role that provides routing, VPN, and dial-up remote access functions. RRAS handles a range of network protocols including PPP, PPTP, L2TP, SSTP, and IKEv2, exposing parsing logic that is reachable over the network.

Microsoft and the CWE mapping classify the flaw as a heap-based buffer overflow [CWE-122]. The condition occurs when RRAS processes specially crafted network input that exceeds the size of an allocated heap buffer. The overflow corrupts adjacent heap structures, enabling control of program execution within the privileged RRAS process.

The EPSS score is 6.256% with a percentile of 91.061, placing this CVE in the upper band of vulnerabilities likely to see exploitation activity. RRAS is not enabled by default on Windows Server, which limits the exposed attack surface to systems explicitly configured as routers, VPN gateways, or remote access servers.

Root Cause

The root cause is improper validation of the size of attacker-supplied input before copying it into a fixed-size heap buffer inside an RRAS protocol handler. The missing bounds check allows controlled data to overwrite heap metadata or adjacent objects, leading to code execution in the context of the service.

Attack Vector

Exploitation requires network access to an affected RRAS server and a user interaction component on the target side. Microsoft's CVSS vector indicates the attacker needs no privileges but does require a user to take an action, such as connecting to or interacting with an attacker-controlled endpoint that the RRAS service then processes.

No public proof-of-concept has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Detailed technical mechanics are not disclosed in the Microsoft advisory. Refer to the Microsoft CVE-2024-38120 Advisory for vendor-supplied details.

Detection Methods for CVE-2024-38120

Indicators of Compromise

• Unexpected crashes, restarts, or access violations in the RemoteAccess service or svchost.exe instance hosting RRAS
• Child processes spawning from the RRAS service host, particularly command interpreters such as cmd.exe or powershell.exe
• Anomalous inbound traffic to RRAS-related ports including TCP 1723 (PPTP), UDP 500/4500 (IKE/IPsec), and TCP 443 (SSTP) from untrusted sources

Detection Strategies

• Inventory all Windows Server systems with the Routing and Remote Access role enabled and compare against patch state for the August 2024 security update
• Enable Windows Event Log forwarding for service crash events (Event ID 7031, 7034) tied to the RemoteAccess service
• Monitor endpoint telemetry for process lineage anomalies involving the RRAS service host, which should not spawn interactive shells

Monitoring Recommendations

• Forward RRAS and system logs to a centralized SIEM or data lake for correlation with network flow data
• Alert on RRAS service crashes followed by network connections to external addresses within a short time window
• Track changes to RRAS configuration files and registry keys under HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess

How to Mitigate CVE-2024-38120

Immediate Actions Required

• Apply the August 2024 Microsoft security update to all Windows Server hosts running the RRAS role
• Identify and prioritize patching of internet-facing VPN and remote access gateways using RRAS
• Restrict inbound access to RRAS service ports using firewall rules limited to known administrative ranges

Patch Information

Microsoft released patches for all affected Windows Server versions on August 13, 2024. Consult the Microsoft CVE-2024-38120 Advisory for the specific KB article and update package corresponding to each Windows Server build. Apply updates through Windows Update, WSUS, or your standard patch management workflow.

Workarounds

• Disable the Routing and Remote Access service on systems where it is not required for business operations
• Place RRAS endpoints behind a VPN concentrator or firewall that enforces source IP allow-listing
• Segment RRAS servers from sensitive internal networks to limit lateral movement potential if compromise occurs

# Verify RRAS service status and disable it where not required (run in elevated PowerShell)
Get-Service -Name RemoteAccess
Stop-Service -Name RemoteAccess -Force
Set-Service -Name RemoteAccess -StartupType Disabled

# Confirm August 2024 cumulative update is installed
Get-HotFix | Where-Object { $_.InstalledOn -ge (Get-Date '2024-08-13') }