This Tuesday, Microsoft issued a warning to users about the need to fix a severe TCP/IP remote code execution (RCE) vulnerability that affects all Windows computers that use IPv6, which is enabled by default. The vulnerability has an enhanced chance of being exploited.
This security flaw, discovered by Kunlun Lab's XiaoWei and listed as CVE-2024-38063, is caused by an Integer Underflow vulnerability that attackers might exploit to cause buffer overflows that could be exploited to execute arbitrary code on susceptible Windows 10, Windows 11, and Windows Server systems.
"Considering its harm, I will not disclose more details in the short term," the security researcher tweeted, adding that blocking IPv6 on the local Windows firewall won't block exploits because the vulnerability is triggered prior to it being processed by the firewall.
As Microsoft explained in its Tuesday advisory, unauthenticated attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets.
Microsoft also shared its exploit-ability assessment for this critical vulnerability, tagging it with an "exploitation more likely" label, which means that threat actors could create exploit code to "consistently exploit the flaw in attacks."
Microsoft is aware of previous instances where this type of vulnerability was exploited. This would make it an attractive target for attackers, increasing the likelihood that exploits may be created. As such it is crucial for customers who have reviewed the the security update and have determined its applicability within their environment, to treat this with the highest priority.
Wormable Vulnerability
The CVE-2024-38063 bug, can be seen as one of the most severe vulnerabilities fixed by the patch that was released by Microsoft this Tuesday (13 August 2024).
The bug could allow an unauthorized attacker to get elevated rights and execute remote code, just by sending specially crafted IPv6 packets to an affected target.
This means the attack is "wormable", meaning it can propagate to one computer to another through the network. You can disable IPv6 to prevent this exploit, but the protocol is enabled by default on most Windows installations.
While Microsoft and other companies warned Windows users to patch their systems as soon as possible to block potential attacks using CVE-2024-38063 exploits, this isn't the first and likely won't be the last Windows vulnerability exploitable using IPv6 packets.
Over the last four years, Microsoft has patched a number of other IPv6 issues, including two TCP/IP flaws known as CVE-2020-16898/9 (also known as Ping of Death), which can be used in remote code execution (RCE) and denial of service (DoS) attacks via malicious ICMPv6 Router Advertisement packets.
Additionally, an IPv6 fragmentation bug (CVE-2021-24086) made all Windows versions vulnerable to DoS attacks, and a DHCPv6 weakness (CVE-2023-28231) allowed for RCE with a specially designed request.
Despite the fact that attackers have yet to exploit them in widespread assaults targeting all IPv6-enabled Windows computers, users are encouraged to install this month's Windows security updates as soon as possible owing to the increased likelihood of exploitation of CVE-2024-38063.
How GIGAMIT Can Offer Scalable IT Support and Assist in Preventing Such Security Risks
The security landscape for enterprises using Windows systems is always changing, as evidenced by the most recent vulnerabilities like CVE-2024-38063, with attackers increasingly focusing on critical infrastructure with sophisticated exploits. GIGAMIT provides strong solutions to assist your company in successfully navigating these obstacles.
- Proactive Threat Monitoring and Management:
GIGAMIT provides continuous monitoring of your IT environment, enabling early detection of potential vulnerabilities, including those related to IPv6 and other critical protocols. Our expert team can assess the applicability of newly discovered vulnerabilities to your systems and apply the necessary patches before they can be exploited. - Customized Security Solutions:
Understanding that every business has unique IT requirements, GIGAMIT offers tailored security solutions that align with your specific needs. Whether it’s implementing advanced firewalls, configuring your network to reduce attack surfaces, or disabling unused protocols like IPv6 where appropriate, we ensure that your systems are fortified against the latest threats. - Scalable IT Support:
As your business grows, so do your IT needs. GIGAMIT’s scalable IT support ensures that your infrastructure can adapt to increased demands without compromising security. We provide everything from routine maintenance to complex system overhauls, ensuring that your technology scales in line with your business. - Incident Response and Recovery:
In the unfortunate event of a security breach, GIGAMIT’s rapid incident response services can help mitigate damage and restore operations. Our team is equipped to handle complex security incidents, ensuring minimal disruption to your business.
With a team of professionals committed to maintaining the security and effectiveness of your IT infrastructure, you can be sure that your company is safeguarded against new threats when you collaborate with GIGAMIT.