Critical Zero-Click Windows TCP/IP RCE Vulnerability Affects All IPv6-Enabled Systems: Urgent Patch Needed

August 14, 2024

Microsoft recently urged its customers to promptly patch a critical TCP/IP remote code execution (RCE) vulnerability that poses a significant risk to all Windows systems where IPv6 is enabled. The vulnerability, designated as CVE-2024-38063, is due to an Integer Underflow weakness that could be exploited by threat actors to induce buffer overflows, thereby executing arbitrary code on susceptible Windows 10, Windows 11, and Windows Server systems.

Microsoft explains that the vulnerability can be remotely exploited by unauthenticated attackers with low complexity attacks, simply by repeatedly sending IPv6 packets containing specially crafted packets. Microsoft's vulnerability exploitability assessment has tagged this critical flaw with an 'exploitation more likely' label, suggesting that threat actors could feasibly create exploit code to consistently exploit the flaw.

Microsoft stated, 'We are aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created.' Customers who have evaluated the security update and determined its applicability within their environment are urged to prioritize this issue.

For those unable to immediately install this week's Windows security updates, Microsoft suggests disabling IPv6 to remove the attack surface. However, the company warns on its support website that the IPv6 network protocol stack is a 'mandatory part of Windows Vista and Windows Server 2008 and newer versions' and discourages disabling IPv6 or its components as this may disrupt some Windows components.

Dustin Childs, Head of Threat Awareness at Trend Micro's Zero Day Initiative, also identified the CVE-2024-38063 bug as one of the most severe vulnerabilities patched by Microsoft this Patch Tuesday, labeling it as a wormable flaw. Childs said, 'The worst is likely the bug in TCP/IP that would allow a remote, unauthenticated attacker to get elevated code execution just by sending specially crafted IPv6 packets to an affected target. That means it's wormable.'

Despite the urgent calls from Microsoft and other companies for Windows users to patch their systems as soon as possible to prevent potential attacks using CVE-2024-38063 exploits, this is not the first, and likely won't be the last, Windows vulnerability exploitable using IPv6 packets. In the past four years, Microsoft has patched several other IPv6 issues, including two TCP/IP flaws tracked as CVE-2020-16898/9 (also known as Ping of Death), that can be exploited in remote code execution (RCE) and denial of service (DoS) attacks using malicious ICMPv6 Router Advertisement packets. Additionally, an IPv6 fragmentation bug (CVE-2021-24086) left all Windows versions vulnerable to DoS attacks, and a DHCPv6 flaw (CVE-2023-28231) made it possible to gain RCE with a specially crafted call. Despite no widespread attacks targeting all IPv6-enabled Windows devices using these vulnerabilities have been reported, users are still advised to apply this month's Windows security updates immediately due to the increased likelihood of CVE-2024-38063 exploitation.

Latest News

• Windows SmartScreen Security Bypass Vulnerability Exploited Since March Now Patched
• Microsoft's August 2024 Patch Tuesday Addresses Nine Zero-Days, Six Currently Exploited
• Ivanti Alerts Customers to Patch Critical Authentication Bypass Vulnerability in Virtual Traffic Manager
• High-Severity OpenSSH Vulnerability in FreeBSD Addressed with Urgent Patch
• Microsoft Identifies Four Security Vulnerabilities in OpenVPN Software