Windows high-risk security vulnerability CVE-2024-38077 PoC released IT administrators should ensure all machines are updated

The critical Windows security vulnerability CVE-2024-38077, which was patched on July 9, 2024, has now seen its Proof of Concept (PoC) published on GitHub. This vulnerability, with a CVSS score of 9.8 out of 10, falls into the category of remote code execution vulnerabilities.

For individual and home users, this vulnerability is nearly insignificant because it resides within the Remote Desktop Licensing Service (RDL Service), which is not installed by default. However, IT administrators in enterprises may enable this service as part of the Windows optional features for easier management.

This vulnerability was originally discovered and reported by security researchers @EdwardzPeng, @Lewis Lee, and @Ver0759. Microsoft addressed it in their July security update. Ensuring that the latest cumulative update is installed will safeguard against this vulnerability.

Vulnerability Overview:

• The vulnerability is located in the Windows Remote Desktop Licensing Manager service. It allows attackers to execute remote code with the highest privileges on the server without requiring any permissions.
• The vulnerability arises from a buffer overflow due to improper verification of the relationship between the decoded data length and the buffer size when decoding the user input license key package.
• It impacts all versions of Windows Server from 2008 to the 2025 Preview. For enterprises using Windows Server 2012 and later versions, Microsoft continues to provide security updates, and these enterprises need only install the updates to be protected.
• For businesses still utilizing older versions like Windows Server 2008/2008 R2, a temporary defense method is to uninstall the RDL service. Without the service installed, the vulnerability cannot be exploited.

The main researcher @EdwardzPeng has published the PoC for the vulnerability at the following link: https://sites.google.com/site/zhiniangpeng/blogs/MadLicense

Typically, after the publication of a PoC, it doesn't take long for hackers to identify detailed exploitation methods, leading to potential attacks. However, researchers have given enterprises a month to patch the vulnerability. If businesses have not yet patched and are attacked, the responsibility falls on them.

Affected Versions:

• Windows Server 2025 Preview
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows Server 2022 (Server Core installation)
• Windows Server 2022
• Windows Server 2019 (Server Core installation)
• Windows Server 2019
• Windows Server 2016 (Server Core installation)
• Windows Server 2016
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 (Server Core installation)
• Windows Server 2012
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) [Listed twice, possibly an error]
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) [Listed twice, possibly an error]
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) [Listed twice, possibly an error]

This extensive vulnerability coverage and the publication of a PoC underscores the necessity for IT administrators to ensure all systems are updated promptly to mitigate potential risks.