Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
Microsoft warned customers this Tuesday to patch a critical TCP/IP remote code execution (RCE) vulnerability with an increased likelihood of exploitation that impacts all Windows systems using IPv6, which is enabled by default.
Found by Kunlun Lab’s XiaoWei and tracked as CVE-2024-38063, this security bug is caused by an Integer Underflow weakness, which attackers could exploit to trigger buffer overflows that can be used to execute arbitrary code on vulnerable Windows 10, Windows 11, and Windows Server systems.
“Considering its harm, I will not disclose more details in the short term,” the security researcher told BleepingComputer, adding that blocking IPv6 on the local Windows firewall won’t block exploits because the vulnerability is triggered prior to it being processed by the firewall.
As Microsoft explained in its Tuesday advisory, unauthenticated attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets.
Microsoft also shared its exploitability assessment for this critical vulnerability, tagging it with an “exploitation more likely” label, which means that threat actors could create exploit code to “consistently exploit the flaw in attacks.”
“Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created,” Redmond explains.
“As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority.”
As a mitigation measure for those who can’t immediately install this week’s Windows security updates, Microsoft recommends disabling IPv6 to remove the attack surface.
However, on its support website, the company says the IPv6 network protocol stack is a “mandatory part of Windows Vista and Windows Server 2008 and newer versions” and doesn’t recommend toggling off IPv6 or its components because this might cause some Windows components to stop working.
Wormable vulnerability
Head of Threat Awareness at Trend Micro’s Zero Day Initiative Dustin Childs also labeled the CVE-2024-38063 bug as one of the most severe vulnerabilities fixed by Microsoft this Patch Tuesday, tagging it as a wormable flaw.
“The worst is likely the bug in TCP/IP that would allow a remote, unauthenticated attacker to get elevated code execution just by sending specially crafted IPv6 packets to an affected target,” Childs said.
“That means it’s wormable. You can disable IPv6 to prevent this exploit, but IPv6 is enabled by default on just about everything.”
While Microsoft and other companies warned Windows users to patch their systems as soon as possible to block potential attacks using CVE-2024-38063 exploits, this isn’t the first and likely won’t be the last Windows vulnerability exploitable using IPv6 packets.
Over the last four years, Microsoft has patched multiple other IPv6 issues, including two TCP/IP flaws tracked as CVE-2020-16898/9 (also called Ping of Death), that can be exploited in remote code execution (RCE) and denial of service (DoS) attacks using malicious ICMPv6 Router Advertisement packets.
Additionally, an IPv6 fragmentation bug (CVE-2021-24086) left all Windows versions vulnerable to DoS attacks, and a DHCPv6 flaw (CVE-2023-28231) made it possible to gain RCE with a specially crafted call.
Even though attackers are yet to exploit them in widespread attacks targeting all IPv6-enabled Windows devices, users are still advised to apply this month’s Windows security updates immediately due to CVE-2024-38063’s increased likelihood of exploitation.