Windows 2003 SP2 RRAS – CVE-2017-11885

This CVE came out in December 2017 and you may be asking yourself why even post something now in May 2018. Because, when exploit code like Exploit-db hits and makes it so easy I figured why not revisit it.

The vulnerability essentially can allow an attacker to compromise your Windows system if you have Routing and Remote Access Service (RRAS) turned on. The attacker can gain shell access and remotely control the machine. See the exploit code above to get an idea of how easy it is to compromise the system that is vulnerable.

Essentially if you have the RRAS service turned on and you are running any of the Windows variants listed here on the Microsoft security bulletin CVE-2017-11885 you should take the time to patch your systems if you have not already.

Other methods of mitigation, for those of you that have not or cannot patch systems. You can deploy host-based IPS rules if you are running Deep Security. You may have already deployed these rules automagically if you have recommendation scan turned on in your Deep Security policy, which is how I recommend it be set up. Below are some quick screenshots of the IPS rule in Deep Security. If you haven’t already, patch, patch, patch.

Written by:

Matthew Chapman