When Microsoft announced its latest round of CVEs on Patch Tuesday earlier this week, one vulnerability stood out.
Although it had not yet been exploited in the wild or publically disclosed, a Windows TCP/IP Remote Code Execution (RCE) Vulnerability tracked as CVE-2024-38063 sparked furious debate on social media.
Some users called for drastic action such as disabling IPv6 to protect against the "scary" vulnerability and others simply advised organisations to, you know, install the patch and chill out.
The bug lets unauthenticated attackers remotely execute code by repeatedly sending IPv6 packets, including "specially crafted packets", to a Windows machine. It's considered wormable, which means it's capable of spreading across systems without authentication or user interaction.
With a CVSS rating of 9.8, the bug is critical in severity and is an Integer Underflow vulnerability, which could be exploited to trigger buffer overflows that can be used to execute arbitrary code on Windows 10, Windows 11, and Windows Server systems. It was first identified by Kunlun Lab's XiaoWei.
On LinkedIn, Marcus Hutchins, known online as MalwareTech and famous for his high-profile involvement in combatting WannaCry, wrote: "This one looks bad. Remote code execution vulnerability in the Windows kernel’s IPv6 parser. It looks like the parsing happens prior to the packet being passed to the system firewall, so as long as IPv6 packets can reach the target machine and IPv6 is enabled in Windows, the system would be exploitable regardless of local firewall settings."
When asked how he knew the bug was in the IPv6 parser, Hutchins replied: "Not sharing any details that could lead to exploitation."
Looks like your Windows systems are safe from the TCP/IP RCE vulnerability (CVE-2024-38063) when you and your team decided to say "not today" and disabled IPv6 on your systems https://t.co/sNdCpm2PRb
— Florian Roth (@cyb3rops) August 15, 2024
Critical security vulnerability in Windows operating system. Remote code execution (=God Mode) using crafted IPv6 packets. That's right, it suffices to send network packets to own a system. https://t.co/aUGx90BCBQ pic.twitter.com/66fWNGNgVb
— Lukasz Olejnik (@lukOlejnik) August 14, 2024
Switching off IPv6, the most recent version of the Internet Protocol, and rolling back to IPv4 appears to be a surefire way of defeating the RCE bug.
In its vulnerability warning, Microsoft wrote: "The following mitigating factors might be helpful in your situation: Systems are not affected if IPv6 is disabled on the target machine."
But is this using a sledgehammer to crack a nut? We asked a range of security professionals for their advice.
Brian Hysell, Associate Principal Consultant, Synopsys Software Integrity Group, told us: “IPv6 was once relatively obscure, but today is up to 43% adoption according to Google's statistics. The scope of its use may not be immediately evident in a large organisation, and Microsoft recommends disabling it.
"Hence, disabling IPv6 altogether could pose unexpected risks to system availability, so fixing the core issue by applying the patch is recommended, as always. On the other hand, many sysadmins report anecdotally that they have disabled it in Windows with no problems observed.
"This vulnerability is in Microsoft-written code that implements IPv6, not in IPv6 itself. IPv6 implementations could theoretically be more susceptible to vulnerabilities than IPv4 due to the former being newer and historically less popular and possibly being given less scrutiny as a result. But that is difficult to ascertain in any objective manner.”
Chris Bates, CISO at SandboxAQ, took a hard stance. “If the company or user isn't using IPv6, they should disable it," he told The Stack. "This is basic attack surface management: If you aren't using it, you aren't maintaining or monitoring it. By disabling it, you reduce your company's attack surface."
Stephen Fewer, Principal Security Researcher at Rapid7, pointed out that the flaw is "not inherent to the design of the IPv6 protocol, but rather Microsoft’s implementation of the IPv6 protocol in a kernel driver" - which means that Linux and other systems using a non-Microsoft implementation of IPv6 would be "entirely unaffected."
"In the corporate environment, however, there may be thousands of Windows assets with IPv6 enabled by default and we recommend that organisations apply the patch as quickly as possible," he advised. "While it’s always useful to reduce attack surface — and disabling unused functionality to mitigate vulnerabilities is one way to achieve that — disabling IPv6 might not be possible in some of these corporate environments without impact to business-critical functionality."
