[German]A small follow-up to the August 13, 2024 patchday, where the 0-day remote code execution vulnerability CVE-2024-38063 in the TCP/IP implementation of Windows became known. Attackers can compromise a host via IPv6 packets and execute code there. Based on the CVEv3 score of 9.8 (critical, "Exploitation More Likely"), Redmond recommends that administrators currently disable IPv6, but Microsoft has also provided security updates for Windows.
Advertising
TCP-IP-Schwachstelle CVE-2024-38063
I briefly mentioned the 0-day vulnerability CVE-2024-38063 in Windows in the blog post Microsoft Security Update Summary (August 13, 2024) following a tip from Tenable. This is a remote code execution (RCE) vulnerability in the Windows TCP/IPv6 implementation caused by an integer underflow error. This RCE vulnerability has been classified as highly critical with a CVEv3 score of 9.8 and as "Exploitation More Likely".
The problem: An attacker can remotely exploit this vulnerability without authentication and without user action by repeatedly sending specially crafted IPv6 packets to a Windows host. Microsoft has stated in CVE-2024-38063 that only IPv6 packets can be abused to exploit this vulnerability and recommends disabling IPv6.
The vulnerability was discovered by XiaoWei from Kunlun Lab (tweet on x) and then reported to Microsoft. Details of this vulnerability have not yet been published. The colleagues from Bleeping Computer have also quoted a statement from Dustin Childs, Head of Threat Awareness at Trend Micro's Zero Day Initiative. Dustin Childs describes the vulnerability as "wormable", meaning that an attacker could spread their malicious code to other computers in the network.
Proof of concept available
Robel Campbell, Principal Security Researcher at Blackpoint Cyber, posted a tweet on X stating that he was able to develop a PoC by reading the RFCs and the parts about optional headers in IPv6 packets. The proof of concept exploit (POC) causes a crash.
Advertising
The error checking is not very detailed in the PoC case. Essentially, the underflow (integer underflow) creates a large value that is used in a loop that eventually writes data out of bounds and causes a crash. Campbell can envision this being used for attacks through heap massaging techniques and corrupting neighboring objects in the heap. However, the PoC is quick-n-dirty, and Campbell states that he was only able to trigger the crash once. The crash dump didn't really help him much for analysis. Administrators should therefore patch or mitigate in time.
Updates from Microsoft
Microsoft has provided a series of security updates for affected Windows systems as of August 13, 2024. I have extracted the relevant packages below, which are listed under CVE-2024-38063.
- KB5041571 : Windows 11 Version 24H2 (just for Windows Insider)
- KB5041585: Windows 11 Version 22H2 – 23H2
- KB5041573: Windows Server 2022 Version 23H2
- KB5041160: Windows Server 2022
- KB5041592: Windows 11 Version 21H2
- KB5041580: Windows 10 Version 21H2 – 22H2
- KB5041578: Windows Server 2019, Windows 10 Version 1809 (2019)
- KB5041773: Windows Server 2016, Windows 10 Version 1607 LTSC
- KB5041782: Windows 10 RTM LTSC
- KB5041828: Windows Server 2012 R2
- KB5041851: Windows Server 2012
- KB5041838, KB5041823: Windows Server 2008 R
- KB504185, KB5041847: Windows Server 2008
I had a look at the support articles for the above posts, none of the knowledge base articles mention the vulnerability CVE-2024-38063 . It is therefore unclear whether the vulnerability is closed as soon as the update packages mentioned above are installed
Further instructions for mitigation
In the comments here in the blog and in the article Windows Server 2019/Windows 10 Enterprise 2019 LTSC: Performance Issues with Update KB5041578, it is indicated that August 2024 updates may not be installed due to problems. Microsoft therefore recommends disabling IPv6 to mitigate the attack vector. I'm a little unsure of the consequences here, as Microsoft writes in the support article here:
Internet Protocol version 6 (IPv6) is a mandatory part of Windows Vista and Windows Server 2008 and newer versions. We do not recommend that you disable IPv6 or its components. If you do, some Windows components may not function. We recommend using Prefer IPv4 over IPv6 in prefix policies instead of disabling IPV6.
Or in short: IPv6 is required from Windows Vista or the server versions onwards. If IPv6 is switched off, malfunctions are to be expected. I have to leave it at that.
Here are a few more tips on this topic. There are administrators who have come to the razor-sharp conclusion "well, then I'll deactivate IPv6 in the firewall and that's that". In a tweet on X, the discoverer of the vulnerability responds to a corresponding question by saying that errors are triggered before the firewall filters the packet. So that's nothing.
In a discussion in my German blog about switching off IPv6, where someone asks whether unchecking the checkbox for IPv6 in the protocol binding of the network card is enough. The comments are that this is probably not enough. To disable the IPv6 stack, you can go to the registry key:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
set the DWORD value DisabledComponents to the value REG_DWORD 0x000000ff (255) to disable IPv6 in Windows. Alternatively, you can disable the protocol binding for IPv6 via Group Policy. Mark Heitbrink has published this German article on gruppenrichtlinien.de with detailed explanations on the topic. Perhaps it will help a little.
Similar articles:
Microsoft Security Update Summary (August 13, 2024)
Patchday: Windows 10/Server Updates (August 13, 2024)
Patchday: Windows 11/Server 2022-Updates (August 13, 2024)
Windows Server 2019/Windows 10 Enterprise 2019 LTSC: Performance Issues with Update KB5041578
Advertising