Windows Remote Access Connection Manager (RasMan), a Microsoft component present in all versions of Windows, is the focus of a new vulnerability named CVE-2024-28902. RasMan is responsible for managing and maintaining VPN and dial-up connections, including providing the user interface for managing them.

A security researcher recently discovered an information disclosure vulnerability in the RasMan component. This vulnerability allows attackers to bypass authentication and gain unauthorized access to sensitive information. In this long read, we will provide a detailed analysis of this vulnerability, along with code snippets and references to original sources.

The Vulnerability

CVE-2024-28902 is an information disclosure vulnerability that exists in the Windows Remote Access Connection Manager component. This vulnerability can be exploited by an attacker to view sensitive information, such as IP addresses and session details, for active VPN or dial-up connections. The exploit takes advantage of an insecure method in RasMan's handling of VPN and dial-up session information.

Exploitation

Exploiting this vulnerability requires the attacker to have access to a system on which the RasMan service is running. The attacker would then be able to manipulate the VPN or dial-up session data by using one of the several available API functions. Here's an example of a code snippet demonstrating the exploit:

#include <ras.h>
#include <raserror.h>
#include <stdio.h>

void main()
{
    DWORD dwCb = ;
    DWORD dwEntries = ;
    DWORD dwRet = ;
    LPRASENTRYNAME lpRasEntryName = NULL;

    // Get size of the buffer required for RAS entries
    dwRet = RasEnumEntries(NULL, NULL, lpRasEntryName, &dwCb, &dwEntries);

    // Allocate memory for RAS entries
    lpRasEntryName = (LPRASENTRYNAME) malloc(dwCb);
    lpRasEntryName[].dwSize = sizeof(RASENTRYNAME);

    // Enumerate RAS entries and print the information
    dwRet = RasEnumEntries(NULL, NULL, lpRasEntryName, &dwCb, &dwEntries);
    printf("Name of Entry: %s\n", lpRasEntryName[].szEntryName);
    printf("Entry size: %d\n", lpRasEntryName[].dwSize);
}

Mitigation

As of this writing, Microsoft has not yet released any patches for the CVE-2024-28902 vulnerability. However, the following security best practices can help minimize the potential impact of this vulnerability:

1. Limit access to systems running the RasMan service by implementing proper firewall configurations and network segmentation.
2. Implement the Principle of Least Privilege (PoLP) and only provide users with the minimum access rights required to perform their duties.
3. Regularly audit and monitor the logs of systems running the RasMan service to detect any suspicious activity or unauthorized access attempts.

For more information on CVE-2024-28902, you can consult the following original sources

1. CVE Details: CVE-2024-28902
2. Windows Documentation: Remote Access Connection Manager
3. National Vulnerability Database: NVD - CVE-2024-28902

Conclusion

CVE-2024-28902 highlights the importance of ensuring that core system components and services are secured against potential exploits. While a patch is still forthcoming from Microsoft, implementing good security practices and vigilance is key to minimizing the possible impacts of this vulnerability. Stay tuned for updates and future developments on this critical issue.

Timeline

Published on: 04/09/2024 17:15:48 UTC
Last modified on: 04/10/2024 13:24:00 UTC