The S2W Threat Intelligence Center has published a threat intelligence report on the Windows server vulnerability CVE-2024-38077, which it has been closely monitoring.

The report was originally published on September 3, 2024, but is being shared now as a significant number of dark web users expressing interest in purchasing this vulnerability have recently been identified.

✅ Report Title:

Analysis of Windows Server Remote Desktop Licensing Service Vulnerability, CVE-2024-38077 (MadLicense)

✅ Executive Summary:

- This report provides an analysis of CVE-2024-38077 (MadLicense), a vulnerability discovered in the Remote Desktop Licensing Service of Windows Server.

- The vulnerability is a Remote Code Execution flaw caused by insufficient input validation and improper memory management during the License Key Pack data processing of the Remote Desktop Licensing Service.

- All Windows Server products with the Remote Desktop Licensing Service enabled and without cumulative updates from July 2024 or later are known to be vulnerable.

- You can verify the updates installed on your Windows Server by navigating to Control Panel > Programs and Features > View Installed Updates. Check the KB number of the installed updates, and if your system has cumulative updates prior to July 2024, it is recommended to update to the latest version. If updating is not feasible, follow the temporary mitigation measures provided in the section "Threat Detection Recommendations and Mitigation Actions" below.

• Attackers with sufficient knowledge of exploiting heap buffer overflow bugs, as well as a deep understanding of Windows heap and RPC mechanisms, could relatively easily develop the incomplete code into a fully functional exploit. It is anticipated that exploitation attempts may occur soon.

• Disable Remote Desktop Licensing Service: If you are using Windows Server as a Remote Desktop Session Host, disabling this service may cause issues. If the Remote Desktop Licensing Service is not required, it is recommended to keep it disabled even after applying updates to minimize the attack surface.

📌 What are the specific details about CVE-2023-49785?

- CVE Number: CVE-2024-38077

- Disclosure or Patch Date: 2024-07-09

- Product: Windows Server

- Vendor: Microsoft

- Confirmed Affected Version: Windows Server < 2024-07 Cumulative Update

- Patched Version: Windows Server ≥ 2024-07 Cumulative Update

- Reporter(Advisor): Lewis Lee, Chunyang Han and Zhiniang Peng

- Causes: In the affected Remote Desktop Licensing Service, when decoding the License Key Pack data provided by the user, memory for storing the decoding result is allocated with a fixed size of 21 bytes, regardless of the user input. If the decoded size of the License Key Pack data exceeds 21 bytes, a heap buffer overflow occurs, potentially overwriting adjacent data within the same heap.

✅ Recommended Threat Detection and Mitigation Actions:

- While no known exploitation cases have been reported yet, a partial PoC code demonstrating remote code execution on certain builds of Windows Server 2025 Preview has been made public, warranting caution.

- All Windows Server product lines with the Remote Desktop Licensing Service enabled and without cumulative updates from July 2024 or later are known to be vulnerable.

- If updating is not possible, follow the temporary mitigation measures outlined below.

For more details, refer to the full report. If needed, please use the link below to request the full report.

🧑‍💻 Report Author: S2W TALON (Updated. 2024-09-03)

👉 Contact us: https://s2w.inc/en/contact

*The full report is available upon request.