Critical TCP/IP Vulnerability Threatens All Windows Systems with IPv6 Enabled
This week, Microsoft warned users about a critical TCP/IP vulnerability that allowed remote execution of arbitrary code. The issue affects all Windows systems using the IPv6 protocol, which is enabled by default.
The vulnerability, discovered by experts at Kunlun Lab and assigned the identifier CVE-2024-38063, is related to an integer underflow that can be exploited by attackers to overflow a buffer and execute arbitrary code on systems running Windows 10, Windows 11, and Windows Server.
Researchers stated that they will not disclose technical details of the vulnerability in the near future due to its severity, giving users more time to install patches. Kunlun Lab also noted that blocking IPv6 at the local Windows firewall level will not stop exploits, as the vulnerability can be triggered before the firewall is activated.
According to Microsoft, unauthorized attackers can remotely exploit this issue in low-complexity attacks by repeatedly sending specially crafted IPv6 packets. The company also emphasized that exploitation of this critical vulnerability is highly likely, meaning attackers could develop an exploit to use in real-world attacks.
“Microsoft is aware of previous cases where vulnerabilities of this type have been exploited. This makes the issue an attractive target for attackers and increases the likelihood of exploit development,” the company warned.
For those unable to immediately install the patches released this week, Microsoft recommends disabling IPv6 entirely to avoid the risk of potential attacks. However, Microsoft’s support site notes that the IPv6 network protocol stack is “an integral part of Windows Vista, Windows Server 2008, and later versions of the OS,” and does not recommend disabling IPv6 or its components, as this may cause some OS components to function incorrectly.
The head of the Trend Micro Zero Day Initiative wrote that CVE-2024-38063 is one of the most serious issues Microsoft has fixed this month and warned that the bug has worm potential.
“The most serious [this month] is likely the TCP/IP vulnerability that allows a remote, unauthenticated attacker to achieve code execution simply by sending specially crafted IPv6 packets to the target,” wrote Childs. “This means the issue has worm potential. You can disable IPv6 to prevent exploitation, but IPv6 is enabled by default on nearly all devices.”