CVE-2024-43532: 
vulnerability analysis and mitigation

Microsoft's Remote Registry client was found to contain a critical Elevation of Privilege (EoP) vulnerability, identified as CVE-2024-43532. The vulnerability was discovered by Akamai researcher Stiv Kupchik and disclosed to Microsoft in February 2024, with a patch released in October 2024's Patch Tuesday. This security flaw carries a high severity CVSS score of 8.8 and affects the Remote Registry Service, particularly in how the WinReg client handles authentication when the SMB protocol is unavailable (Security Online).

The vulnerability stems from a weakness in the WinReg client's authentication handling mechanism when SMB transport is unavailable. The system's BaseBindToMachine function implements an insecure fallback mechanism that switches to legacy protocols with inadequate security measures. When forced to connect over protocols like TCP/IP, it uses RpcBindingSetAuthInfoA to set the authentication level to Connect, which is considered insecure. This implementation flaw allows attackers to potentially relay NTLM authentication details across networks (Security Online).

The vulnerability enables attackers to relay the client's NTLM authentication details to the Active Directory Certificate Services (ADCS) and request user certificates for further domain authentication. This can lead to unauthorized access to critical systems, potentially allowing attackers to create persistent domain administrator accounts and gain full control over corporate networks. The impact is particularly severe as it bypasses multiple layers of security through the exploitation of the fallback mechanism (Security Online).

Microsoft has addressed this vulnerability in the October 2024 Patch Tuesday update. The patch specifically targets the fallback behavior and ensures that insecure authentication protocols are no longer used when SMB failures occur (Security Online).