Windows 远程桌面授权服务远程代码执行漏洞

攻击者利用此RCE漏洞可以完全控制受影响的系统。他们可以安装恶意软件、窃取敏感数据、破坏系统配置，甚至利用该系统作为跳板攻击网络中的其他系统。由于Remote Desktop Licensing Service通常暴露于网络中，因此该漏洞的潜在影响范围非常广泛。如果攻击者能够成功利用此漏洞，他们可以绕过身份验证机制，直接在目标系统上执行恶意代码，从而造成严重的损失。类似RCE漏洞的攻击，可能导致数据泄露、服务中断和声誉损害。

Organizations heavily reliant on Remote Desktop Services for remote administration or user access are particularly at risk. Environments with legacy Windows versions that are difficult to patch are also vulnerable. Shared hosting environments where the hosting provider manages the Remote Desktop Licensing Service should be monitored closely.

• windows / supply-chain:

Get-Service -Name RemoteDesktopLicensing | Select-Object DisplayName, Status, StartType, ServiceType, PathName

• windows / supply-chain:

Get-WinEvent -LogName System -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-RemoteDesktopLicensingService']]]" -MaxEvents 100

• windows / supply-chain: Check Autoruns for unusual entries related to RemoteDesktopLicensingService.exe or its dependencies. • windows / supply-chain: Monitor for unusual network connections originating from the RemoteDesktopLicensingService process using Process Explorer or Resource Monitor.

1. 2024-09-10Disclosure

   disclosure

1. 已保留2024-08-14
2. 发布日期2024-09-10
3. 修改日期2024-12-31
4. EPSS 更新日期2026-04-02

微软建议尽快将Windows Remote Desktop Licensing Service升级至10.0.25398.1128或更高版本。如果无法立即升级，可以考虑实施一些临时缓解措施。例如，可以限制对Remote Desktop Licensing Service的访问，只允许授权用户访问。还可以使用防火墙规则来阻止来自不受信任网络的流量。此外，定期审查系统日志，以检测任何可疑活动。升级后，请验证服务是否正常运行，并确认漏洞已成功修复。