Microsoft has sent out a red alert this Tuesday, urging everyone to patch a critical TCP/IP remote code execution (RCE) vulnerability. This one’s a real doozy with a high chance of being exploited, and it affects all Windows systems that have IPv6 enabled by default.
Discovered by XiaoWei from Kunlun Lab and tracked as CVE-2024-38063, this vulnerability stems from an Integer Underflow weakness. Hackers can use this flaw to cause buffer overflows, allowing them to run arbitrary code on vulnerable Windows 10, Windows 11, and Windows Server systems.
XiaoWei has kept the finer details under wraps, tweeting that due to the severity of this flaw, more specifics won’t be shared anytime soon. To make matters worse, blocking IPv6 in the local Windows firewall won’t help since the vulnerability is triggered before the firewall gets a chance to process it.
According to Microsoft’s advisory on Tuesday, unauthenticated attackers can exploit this flaw remotely with ease by sending specially crafted IPv6 packets repeatedly.
Microsoft slapped an “exploitation more likely” label on this vulnerability, signalling that threat actors could quickly develop exploit code to consistently take advantage of it.
Redmond also pointed out that similar vulnerabilities have been exploited in the past, making this a particularly juicy target for attackers. As such, those who’ve checked out the security update and found it relevant to their systems should treat this as a top priority.
For those who can’t install the latest security updates straight away, Microsoft suggests disabling IPv6 to reduce the risk. However, they caution against this on their support site, as IPv6 is a core component of Windows Vista, Windows Server 2008, and newer versions, and turning it off might cause some Windows features to stop working.
Wormable Vulnerability
Dustin Childs, Head of Threat Awareness at Trend Micro’s Zero Day Initiative, has also flagged CVE-2024-38063 as one of the nastiest bugs fixed by Microsoft this Patch Tuesday, calling it a “wormable” flaw.
“The most worrying aspect of this is that an unauthenticated attacker could gain elevated code execution just by sending specially crafted IPv6 packets to a vulnerable system,” Childs said.
“That makes it wormable. Disabling IPv6 can stop this exploit, but considering IPv6 is switched on by default on nearly everything, it’s a bit of a tricky situation.”
Microsoft and others are urging Windows users to patch their systems immediately to fend off potential attacks using CVE-2024-38063 exploits. Unfortunately, this isn’t the first, and likely won’t be the last, Windows vulnerability that can be exploited using IPv6 packets.
Over the past four years, Microsoft has patched several other IPv6-related issues, including two TCP/IP flaws known as CVE-2020-16898/9 (nicknamed Ping of Death), which could be exploited in remote code execution (RCE) and denial of service (DoS) attacks through malicious ICMPv6 Router Advertisement packets.
Additionally, an IPv6 fragmentation bug (CVE-2021-24086) left all Windows versions vulnerable to DoS attacks, while a DHCPv6 flaw (CVE-2023-28231) made it possible to gain RCE with a specially crafted call.
Even though these vulnerabilities haven’t yet been exploited in widespread attacks on all IPv6-enabled Windows devices, users are strongly advised to install this month’s Windows security updates as soon as possible, given the increased likelihood of exploitation for CVE-2024-38063.