October 2024 Windows Updates brought a patch for CVE-2024-43532, a vulnerability in Windows Remote Registry Service that could allow an attacker with access to network communication between administrator's computer and computer under remote administration to hijack the network connection and obtain administrator's credentials. These could then be relayed to another server, for instance an Active Directory Certificate Server, and used for creating a new certificate for subsequent authentication.
Note that the official title of this issue ("Remote Registry Service Elevation of Privilege Vulnerability") is incorrect, as the vulnerability is not in the Remote Registry Service but rather in the remote registry client code, i.e., in the component that remotely connects to the Remote Registry Service on another computer. We're reluctantly keeping this title to avoid the risk of anyone thinking these are two separate issues.
Security researcher Stiv Kupchik of Akamai found this vulnerability and reported it to Microsoft. Subsequently, Stiv published a detailed article and provided a proof-of-concept tool.
The Vulnerability
The root cause of this vulnerability is the use of an insecure authentication level in a RpcBindingSetAuthInfo call (advapi32.dll) from function BaseBindToMachine, which provides user-supplied parameters that control the behavior of an RPC binding to the remote machine.
The default behavior of the BaseBindToMachine call is to first try to bind to the RPC endpoint using named pipes and RPC_C_AUTHN_LEVEL_PKT_PRIVACY, but when that doesn't work, fall back to the vulnerable tcp_ip protocol with RPC_C_AUTHN_LEVEL_CONNECT - which provides no security. Because of the vulnerable RPC_C_AUTHN_LEVEL_CONNECT parameter, the tcp_ip biding can then be relayed to a different endpoint of attacker's choosing, while authenticating with victim's credentials.
Stiv Kupchik found one occurrence of the vulnerable RegConnectRegistryExW call in the registry editor application, but various other applications are likely to use remote registry connections in the same way.
Microsoft's Patch
Microsoft patched this issue by changing the default behavior of remote registry connections initiated through function BaseBindToMachine, but it also introduced new registry values that control the protocol fallback policy and security policy.
Our Micropatch
Our patch is logically equivalent to enforcing the "patched" behavior of function BaseBindToMachine (i.e., when TransportFallbackPolicy is absent or set to 1 - DEFAULT), disabling the fallback functionality and only allowing remote registry connections over named pipes with RPC_C_AUTHN_LEVEL_PKT_PRIVACY.
Our patch has a single CPU instruction, whereby the pointer to the fallback protocol name is set to 0. Microsoft's original code in advapi32.dll then does the rest.
;XX-2562
MODULE_PATH "..\AffectedModules\advapi32.dll_10.0.19041.1052_Win10-2004_64-bit_u2021-12\advapi32.dll"
PATCH_ID 2029
PATCH_FORMAT_VER 2
VULN_ID 7839
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x42d9c
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
code_start
mov r15, 0x0 ;move 0 to r15 to replace the fallback protocol name pointer.
code_end
patchlet_end
Micropatch Availability
Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:
- Windows 11 v21H2 - fully updated
- Windows 10 v21H2 - fully updated
- Windows 10 v21H1 - fully updated
- Windows 10 v20H2 - fully updated
- Windows 10 v2004 - fully updated
- Windows 10 v1909 - fully updated
- Windows 10 v1809 - fully updated
- Windows 10 v1803 - fully updated
- Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
- Windows Server 2012 (standard and R2) - fully udpated with no ESU
- Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you're using Windows that aren't
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won't be exploited on your computers - and you won't
even have to know or care about these things.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
We would like to thank Stiv Kupchik of Akamai for sharing their analysis and proof-of-concept, which made it possible for us to create a
micropatch for this issue.
