Researcher from Akamai has released a proof-of-concept (PoC) exploit code for a critical Elevation of Privilege vulnerability, that’s tracked as CVE-2024-43532 with a CVSS score of 8.8.
This vulnerability exploits a fallback mechanism in the WinReg client, which insecurely uses obsolete transport protocols if the preferred SMB transport is unavailable. This enables attackers to relay NTLM authentication details, potentially compromising sensitive systems.
This issue stems from outdated authentication practices within Microsoft’s Remote Procedure Call (RPC) framework, particularly when interacting with the Remote Registry service, which allows processes on different machines to communicate over the network.
Microsoft’s RPC protocol relies on insecure authentication levels, allowing attackers to relay credentials across networks. When the RPC client binds to a server, authentication metadata is passed along, which can be intercepted and manipulated.
The real risk lies in the fallback behavior of the BaseBindToMachine function, which uses weak authentication when forced to connect over less-secure protocols like TCP/IP. This fallback allows an attacker to act as a man-in-the-middle, relaying credentials to other systems, particularly Active Directory Certificate Services (ADCS).
The Akamai team has created a proof of concept (PoC) exploit code for CVE-2024-43532, which they shared publicly via their GitHub repository. The implications not limited to attackers potentially gaining full control over the network, bypassing multiple layers of security by simply exploiting an obscure fallback mechanism.
This vulnerability was responsibly disclosed to Microsoft’s Security Response Center (MSRC) in February 2024, and a patch was issued as part of October 2024’s Patch Tuesday. Microsoft’s update addressed the fallback behavior and ensured that insecure authentication protocols are no longer used in the event of SMB failures.
Disclosure timeline
- 02/01/2024 — Vulnerability disclosed to MSRC
- 04/25/2024 — Report closed as documentation issue
- 06/17/2024 — Report re-opened with better PoC and explanation
- 07/08/2024 — Vulnerability confirmed
- 10/08/2024 — Patch released
This research documentation and PoC has been created by Akamai researcher Stiv Kupchik. For more information, refer to the blog
