Microsoft announced on Tuesday that one of the updates released in this month’s ‘Patch Tuesday’ event addressed a critical remote code execution (RCE) vulnerability impacting all Windows systems using IPv6.
The flaw, designated CVE-2024-38063, is due to an integer underflow weakness that, when exploited, could trigger a buffer overflow that threat actors could leverage to enable RCE. Of particular concern is that CVE-2024-38063 can be exploited simply by repeatedly sending specifically crafted IPv6 packets, a process that can be easily automated to target large swaths of vulnerable Windows systems worldwide quickly.
While Microsoft has not detected active exploitation of CVE-2024-38063, it is strongly encouraging users to install Tuesday’s updates immediately to mitigate the risk the vulnerability poses.
Source: Bleeping Computer
Analysis
IPv6 was developed in the late 1990s to address the anticipated exhaustion of standard IPv4 addresses caused by the rapid commercialization of the internet. IPv6’s use of 128-bit addresses allows it to have as many as 340 undecillion unique IP addresses, significantly more than IPv4’s 4.3 billion addresses.
Since IPv6 is enabled by default in most Windows systems, any vulnerability in the protocol could represent a massive attack surface for threat actors to target. Microsoft has previously identified and patched multiple other issues in IPv6, including CVE-2020-16898 and CVE-2020-16899. Better known collectively as ‘Ping of Death’, the vulnerabilities could be exploited by threat actors using malicious ICMPv6 Router Advertisement packets to conduct RCE and denial of service (DoS) attacks.
More recently in 2021, an IPv6 fragmentation vulnerability (CVE-2021-24086) left all Windows versions vulnerable to DoS attacks, and a DHCPv6 flaw discovered in 2023 (CVE-2023-28231) that allowed threat actors to conduct RCE with a specially crafted call.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like Windows. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends that users of affected Windows systems install the latest patches as soon as possible, and enable automatic updates so that future vulnerabilities in Windows are patched as they are released.
Users who cannot update right away can disable IPv6 in the meantime, however, be advised that this may cause some issues with applications that use the protocol.
Related Articles
