Reading Time: 2 minutes

Microsoft warned customers to patch a critical TCP/IP remote code execution (RCE) vulnerability that impacts all Windows systems (client and server) using IPv6 stack. The vulnerability is identified as CVE-2024-38063 and it’s a 9.8-out-of-10 on the CVSS severity scale.

Note that, on Windows systems the IPv6 is enabled by default and, in the past, Microsoft itself has not recommend disabling IPV6:

” We do not recommend that you disable IPv6 or its components, or some Windows components may not function.” (https://support.microsoft.com/en-us/kb/929852)

The flaw, discovered by Kunlun Lab’s XiaoWei, stems from an integer underflow weakness. Attackers could exploit this to trigger buffer overflows, paving the way for arbitrary code execution. XiaoWei has refrained from disclosing more details for now as to complicate malicious actors taking advantage of it.

Dustin Childs, Head of Threat Awareness at Trend Micro’s Zero Day Initiative, also labeled it as “wormable,” meaning it could spread between vulnerable systems without user interaction.

How could an attacker exploit this vulnerability?

An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.

Mitigation

Systems are not affected if IPv6 is disabled on the target machine. Note that using the Windows firewall to block IPv6 is not enough!

Or install Windows 11’s August 2024 Update but note that there are some issues related to this update.

Other network stack issues?

See this interesting blog post on TheRegister.

Share