Dear customers, In addition to our latest update, we managed to create an improved version of the visibility query. This new version is designed to detect unpatched servers running the RDS Licensing service.
In addition, Axon reports had been published to Team Axon customers. In those reports, you can also find the updated deliverables list.
The team is still tracking the “MadLicense” vulnerability and will publish an update in case needed. If you have any questions regarding the queries’ results or in general, please do not hesitate to reach out to us.
Sincerely, Team Axon.
Posted Aug 18, 2024 - 10:15 UTC
Update
Dear customers, Following our latest update regarding CVE-2024-38077, We would like to inform you that a visibility dashboard is now available in Hunter’s portal.
This dashboard can be found in the Hunters platform, by navigating to: "Data" --> "Visibility" --> "MadLicense - CVE-2024-38077 - Identification of Servers with RDS License service enabled" The data included in this dashboard is based on an identification of svchost instances that included the flag “tslicensing” during the last 14 days.
Team Axon is aware of a critical RCE flaw (CVE-2024-38077) affecting Windows Remote Desktop Licensing Service. This vulnerability, known as “MadLicense” allows remote unauthenticated code execution due to a heap buffer overflow issue. By manipulating user-controlled input, attackers can trigger a buffer overflow, leading to arbitrary code execution within the context of the RDL service.
The team noticed the publication of several Proof-Of-Concepts related to this vulnerability, and is actively researching the details and will provide updates after deeply analyzing and assessing the vulnerability.
According to Microsoft, the vulnerability affects the following versions of Windows Servers with the Remote Desktop Licensing Service enabled: - Windows Server 2008 build earlier than 10.0.6003.22769 - Windows Server 2008 R2 build earlier than 10.0.7601.27219 - Windows Server 2012 build earlier than 10.0.9200.24975 - Windows Server 2012 R2 build earlier than 10.0.9600.22074 - Windows Server 2016 build earlier than 10.0.14393.7159 - Windows Server 2019 build earlier than 10.0.17763.6054 - Windows Server 2022 build earlier than 10.0.20348.2582 - Windows Server 2022 23H2 build earlier than 10.0.25398.1009
In the meantime, to mitigate the risk, follow these steps: - Install the updates for this vulnerability, detailed patch information can be found in Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38077 - If the RDL service is not required, consider disabling it. In all cases, Microsoft recommends that you install the updates for this vulnerability ASAP even if you plan to leave RDL Service disabled.
For further assistance, please don't hesitate to contact us.