Microsoft on Tuesday warned customers to patch a critical TCP/IP remote code execution (RCE) vulnerability that is increasingly being exploited and affects all Windows systems with IPv6 enabled by default.
Discovered by XiaoWei of Kunlun Lab and tracked as CVE-2024-38063, the security bug is caused by an integer underflow vulnerability that attackers can exploit to trigger a buffer overflow and gain arbitrary code execution on vulnerable Windows 10, Windows 11, and Windows Server systems.
“Given the damage it can cause I won’t be releasing details for now,” the security researcher tweeted, adding that blocking IPv6 in the local Windows firewall won’t stop exploitation because the vulnerability is triggered before it can be handled by the firewall.
As Microsoft explained in its advisory on Tuesday, an unauthenticated attacker could exploit the vulnerability remotely in a low-complexity attack by repeatedly sending IPv6 packets containing specially crafted packets.
Microsoft also published an exploitability assessment for this critical vulnerability, labeling it as “exploitation highly likely,” meaning that threat actors could craft exploit code to “persistently exploit the flaw in attacks.”
“Further, Microsoft is aware of past instances where these types of vulnerabilities have been exploited in the wild, making them an attractive target for attackers and increasing the likelihood that they will be exploited,” Redmond explained.
“As such, customers who have reviewed the security update and determined its applicability to their environment should treat this as a higher priority.”
As a mitigation for those who can’t immediately install this week’s Windows security updates, Microsoft recommends disabling IPv6 to eliminate the attack surface.
However, the company’s support website states that the IPv6 network protocol stack is “required for Windows Vista and Windows Server 2008 and later versions,” and that turning off IPv6 or its components is not recommended because it could cause some Windows components to stop working.
Wormable Vulnerabilities
Dustin Childs, head of threat awareness for Trend Micro’s Zero-Day Initiative, also named the CVE-2024-38063 bug as one of the most severe vulnerabilities fixed by Microsoft in this month’s Patch Tuesday, noting that it is a wormable flaw.
“The worst part appears to be a bug in TCP/IP that could allow an unauthenticated, remote attacker to achieve sophisticated code execution simply by sending specially crafted IPv6 packets to an affected target,” Childs said.
“This means it’s wormable. You can disable IPv6 to prevent this exploit, but IPv6 is enabled by default on almost all systems.”
Microsoft and other companies have warned Windows users to patch their systems as soon as possible to block potential attacks that exploit the CVE-2024-38063 vulnerability, but this is not the first Windows vulnerability to be exploited using IPv6 packets, and it likely won’t be the last.
Over the past four years, Microsoft has fixed several other IPv6 issues, including two TCP/IP vulnerabilities tracked as CVE-2020-16898/9 (aka Ping of Death), which could be exploited to launch remote code execution (RCE) or denial of service (DoS) attacks using malicious ICMPv6 Router Advertisement packets.
moreover, IPv6 fragmentation bug (CVE-2021-24086) makes all Windows versions vulnerable to DoS attacks, DHCPv6 flaw (CVE-2023-28231) It was now possible to obtain RCE through a specially crafted call.
While attackers have yet to exploit this in a large-scale attack targeting all IPv6-enabled Windows devices, the increased likelihood of CVE-2024-38063 being exploited means users are advised to apply this month’s Windows security updates immediately.