CVE-2024-43564 Overview
CVE-2024-43564 is a remote code execution vulnerability in the Windows Routing and Remote Access Service (RRAS). The flaw affects multiple Microsoft Windows Server releases, from Windows Server 2008 through Windows Server 2022 23H2. Microsoft disclosed the issue as part of its October 2024 security updates.
The vulnerability carries a CVSS 3.1 base score of 8.8 with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Successful exploitation requires user interaction but no prior authentication. The associated weakness is [CWE-122] Heap-based Buffer Overflow.
Critical Impact
An attacker who successfully exploits CVE-2024-43564 can execute arbitrary code on an affected Windows Server, leading to full confidentiality, integrity, and availability compromise of the host.
Affected Products
- Microsoft Windows Server 2008 SP2 and Windows Server 2008 R2 SP1
- Microsoft Windows Server 2012 and Windows Server 2012 R2
- Microsoft Windows Server 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-10-08 - CVE-2024-43564 published to NVD
- 2024-10-08 - Microsoft releases security update for CVE-2024-43564
- 2024-10-17 - Last updated in NVD database
Technical Details for CVE-2024-43564
Vulnerability Analysis
The vulnerability resides in the Routing and Remote Access Service, a Windows Server role that provides routing, VPN, and dial-up remote access functionality. RRAS processes network protocol traffic in kernel and user-mode components that parse complex protocol structures. A flaw in this parsing path permits a heap-based buffer overflow on the affected host.
The attack vector is network-based, but the CVSS metrics indicate user interaction is required. In practical terms, an attacker typically convinces a victim with privileges on the RRAS host to connect to or process attacker-controlled content. Successful exploitation yields arbitrary code execution in the context of the vulnerable service.
Because RRAS often runs on perimeter or VPN concentrator systems, a compromised host can give attackers a foothold into internal networks. The affected component spans more than a decade of Windows Server releases, broadening the exposed footprint.
Root Cause
The root cause is a heap-based buffer overflow [CWE-122] in RRAS code that handles attacker-influenced protocol data. Insufficient bounds checking on a length or size field allows data to be written past the end of an allocated heap buffer, corrupting adjacent memory structures.
Attack Vector
The attack originates over the network and is directed at a system running RRAS. Exploitation requires a user on the target side to take an action, such as initiating or accepting a connection that processes the malformed payload. No credentials are needed on the target.
No public proof-of-concept code or in-the-wild exploitation has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS data indicates an elevated probability of exploitation relative to the broader CVE population.
Detection Methods for CVE-2024-43564
Indicators of Compromise
- Unexpected crashes, restarts, or watchdog events for the RemoteAccess service or svchost.exe instances hosting RRAS.
- New or unusual child processes spawned from RRAS-related service hosts, particularly command interpreters or scripting engines.
- Outbound connections from the RRAS host to unknown external IPs immediately following an inbound RRAS protocol session.
Detection Strategies
- Monitor Windows Event Logs for service crash events (Event ID 7031, 7034) referencing RemoteAccess or related dependencies.
- Correlate inbound traffic on RRAS-related ports (PPTP/TCP 1723, L2TP/UDP 1701, SSTP/TCP 443, GRE protocol 47) with subsequent anomalous process activity.
- Apply behavioral analytics to flag process-tree anomalies originating from RRAS service hosts after remote sessions.
Monitoring Recommendations
- Enable detailed RRAS logging and forward events to a central SIEM or data lake for retention and correlation.
- Baseline normal RRAS connection patterns and alert on deviations such as unusual source geographies or session rates.
- Track patch state of all Windows Server hosts with the Remote Access role enabled and alert on unpatched systems.
How to Mitigate CVE-2024-43564
Immediate Actions Required
- Apply the Microsoft October 2024 security updates for CVE-2024-43564 to all affected Windows Server versions as identified in the Microsoft Security Update Guide.
- Inventory all systems with the Routing and Remote Access role enabled and prioritize internet-facing hosts.
- Restrict access to RRAS endpoints to known administrative networks until patching is complete.
Patch Information
Microsoft has released security updates addressing CVE-2024-43564 across supported and Extended Security Update (ESU) editions of Windows Server. Refer to the Microsoft Security Update for CVE-2024-43564 for the specific KB numbers and download links matching each affected build.
Workarounds
- Disable the Routing and Remote Access Service on hosts that do not require it, removing the attack surface entirely.
- Block RRAS-related protocols (PPTP, L2TP, SSTP, GRE) at perimeter firewalls where remote access is not in scope.
- Require VPN clients to authenticate through a hardened front-end (for example, a reverse proxy or VPN gateway with strict allow-listing) before traffic reaches RRAS.
# Disable Routing and Remote Access on hosts that do not need it (PowerShell, run as Administrator)
Stop-Service -Name RemoteAccess -Force
Set-Service -Name RemoteAccess -StartupType Disabled
Uninstall-WindowsFeature -Name RemoteAccess -IncludeManagementTools
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
