Microsoft warned clients this Tuesday to patch a essential TCP/IP distant code execution (RCE) vulnerability with an elevated probability of exploitation that impacts all Home windows programs utilizing IPv6, which is enabled by default.
Discovered by Kunlun Lab’s XiaoWei and tracked as CVE-2024-38063, this safety bug is brought on by an Integer Underflow weak spot, which attackers might exploit to set off buffer overflows that can be utilized to execute arbitrary code on susceptible Home windows 10, Home windows 11, and Home windows Server programs.
“Contemplating its hurt, I can’t disclose extra particulars within the brief time period,” the safety researcher tweeted, including that blocking IPv6 on the native Home windows firewall will not block exploits as a result of the vulnerability is triggered previous to it being processed by the firewall.
As Microsoft defined in its Tuesday advisory, unauthenticated attackers can exploit the flaw remotely in low-complexity assaults by repeatedly sending IPv6 packets that embrace specifically crafted packets.
Microsoft additionally shared its exploitability evaluation for this essential vulnerability, tagging it with an “exploitation extra probably” label, which signifies that risk actors might create exploit code to “persistently exploit the flaw in assaults.”
“Furthermore, Microsoft is conscious of previous cases of this kind of vulnerability being exploited. This is able to make it a gorgeous goal for attackers, and subsequently extra probably that exploits may very well be created,” Redmond explains.
“As such, clients who’ve reviewed the safety replace and decided its applicability inside their atmosphere ought to deal with this with the next precedence.”
As a mitigation measure for individuals who cannot instantly set up this week’s Home windows safety updates, Microsoft recommends disabling IPv6 to take away the assault floor.
Nonetheless, on its assist web site, the corporate says the IPv6 community protocol stack is a “necessary a part of Home windows Vista and Home windows Server 2008 and newer variations” and would not suggest toggling off IPv6 or its elements as a result of this may trigger some Home windows elements to cease working.
Wormable vulnerability
Head of Menace Consciousness at Development Micro’s Zero Day Initiative Dustin Childs additionally labeled the CVE-2024-38063 bug as some of the extreme vulnerabilities mounted by Microsoft this Patch Tuesday, tagging it as a wormable flaw.
“The worst is probably going the bug in TCP/IP that may enable a distant, unauthenticated attacker to get elevated code execution simply by sending specifically crafted IPv6 packets to an affected goal,” Childs mentioned.
“Meaning it is wormable. You’ll be able to disable IPv6 to stop this exploit, however IPv6 is enabled by default on nearly all the things.”
Whereas Microsoft and different corporations warned Home windows customers to patch their programs as quickly as attainable to dam potential assaults utilizing CVE-2024-38063 exploits, this is not the primary and certain will not be the final Home windows vulnerability exploitable utilizing IPv6 packets.
During the last 4 years, Microsoft has patched a number of different IPv6 points, together with two TCP/IP flaws tracked as CVE-2020-16898/9 (additionally known as Ping of Dying), that may be exploited in distant code execution (RCE) and denial of service (DoS) assaults utilizing malicious ICMPv6 Router Commercial packets.
Moreover, an IPv6 fragmentation bug (CVE-2021-24086) left all Home windows variations susceptible to DoS assaults, and a DHCPv6 flaw (CVE-2023-28231) made it attainable to realize RCE with a specifically crafted name.
Though attackers are but to use them in widespread assaults concentrating on all IPv6-enabled Home windows units, customers are nonetheless suggested to use this month’s Home windows safety updates instantly as a result of CVE-2024-38063’s elevated probability of exploitation.