Overview

A significant security vulnerability, identified as CVE-2024-43532, has been discovered in Microsoft's Remote Registry client. This flaw allows attackers to exploit the Remote Procedure Call (RPC) authentication process, potentially leading to unauthorized control over Windows domains. The vulnerability affects multiple versions of Windows Server and client operating systems, including Windows 10 and 11.

Background

The Remote Registry service enables remote management of the Windows registry, facilitating administrative tasks across networked systems. It operates over the RPC protocol, which supports various transport mechanisms, including Server Message Block (SMB) and Transmission Control Protocol/Internet Protocol (TCP/IP). In scenarios where SMB transport is unavailable, the Remote Registry client defaults to using TCP/IP. However, this fallback mechanism employs a weaker authentication level, specifically INLINECODE0 , which lacks proper verification of the authenticity and integrity of the connection.

Technical Details

The vulnerability arises from the client's handling of RPC authentication during fallback scenarios. When SMB transport is unavailable, the client switches to TCP/IP and uses the INLINECODE1 authentication level. This level does not verify the authenticity or integrity of the connection, making it susceptible to NTLM relay attacks. An attacker can intercept the NTLM authentication handshake from the client and relay it to another service, such as Active Directory Certificate Services (ADCS), to obtain a user certificate. This certificate can then be used for further authentication within the domain, potentially leading to unauthorized access and control.

Implications and Impact

Exploitation of CVE-2024-43532 can have severe consequences, including:

  • Elevation of Privileges: Attackers can gain higher-level access within the domain, potentially escalating to domain administrator privileges.
  • Unauthorized Access: Compromised credentials can be used to access sensitive information and critical systems.
  • Domain Takeover: With elevated privileges, attackers can create new domain administrator accounts, modify security settings, and disrupt operations.

The vulnerability affects all unpatched versions of Windows Server from 2008 through 2022, as well as Windows 10 and Windows 11. Given the widespread use of these systems, the potential impact is substantial.

Mitigation Measures

To protect against CVE-2024-43532, it is recommended to:

  1. Apply Security Updates: Microsoft released a patch addressing this vulnerability as part of the October 2024 Patch Tuesday updates. Ensure all affected systems are updated promptly.
  2. Disable Remote Registry Service: If the Remote Registry service is not essential, disable it to reduce the attack surface.
  3. Monitor RPC Calls: Utilize Event Tracing for Windows (ETW) to monitor specific RPC calls related to the WinReg RPC interface.
  4. Implement Stronger Authentication: Configure systems to require higher authentication levels, such as INLINECODE2 , to ensure the integrity and confidentiality of RPC communications.

Conclusion

CVE-2024-43532 represents a critical security risk to Windows domains, emphasizing the need for prompt action to mitigate potential exploits. By applying the necessary patches and implementing recommended security measures, organizations can protect their systems from unauthorized access and maintain the integrity of their networked environments.