Microsoft has issued a critical warning to its customers regarding a significant TCP/IP remote code execution (RCE) vulnerability that affects all Windows systems utilizing IPv6, which is enabled by default. The vulnerability, tracked as CVE-2024-38063 and discovered by Kunlun Lab’s XiaoWei, stems from an Integer Underflow weakness. This flaw could allow attackers to exploit buffer overflows, potentially executing arbitrary code on vulnerable systems, including Windows 10, Windows 11, and Windows Server.
In a recent tweet, the security researcher emphasized the seriousness of the vulnerability, stating, “Considering its harm, I will not disclose more details in the short term.” He also noted that simply blocking IPv6 on the local Windows firewall would not prevent exploitation, as the vulnerability is triggered before the firewall processes the packets.
According to Microsoft’s advisory, unauthenticated attackers can remotely exploit this flaw through low-complexity attacks by sending specially crafted IPv6 packets. The company has assessed the exploitability of this critical vulnerability, labeling it with an “exploitation more likely” tag, indicating that threat actors may develop exploit code capable of consistently targeting the flaw.
Microsoft further acknowledged that there have been previous instances of similar vulnerabilities being exploited, making this particular flaw an attractive target for attackers. Consequently, the company advises customers who have reviewed the security update to prioritize its implementation within their environments.
For those unable to install the latest Windows security updates immediately, Microsoft recommends disabling IPv6 as a temporary mitigation measure to reduce the attack surface. However, the company cautions against turning off IPv6 entirely, as it is a “mandatory part of Windows Vista and Windows Server 2008 and newer versions,” and doing so may disrupt the functionality of certain Windows components.
Wormable Vulnerability
Dustin Childs, Head of Threat Awareness at Trend Micro’s Zero Day Initiative, has classified the CVE-2024-38063 bug as one of the most severe vulnerabilities addressed by Microsoft this Patch Tuesday, referring to it as a wormable flaw. “The worst is likely the bug in TCP/IP that would allow a remote, unauthenticated attacker to get elevated code execution just by sending specially crafted IPv6 packets to an affected target,” Childs explained. He added that while disabling IPv6 could mitigate the risk, it is enabled by default on nearly all systems.
As Microsoft and other organizations urge Windows users to promptly patch their systems to guard against potential attacks utilizing CVE-2024-38063, it is worth noting that this is not the first, nor will it be the last, Windows vulnerability that can be exploited through IPv6 packets. Over the past four years, Microsoft has addressed several other IPv6-related issues, including two TCP/IP vulnerabilities tracked as CVE-2020-16898/9 (commonly referred to as Ping of Death), which can be exploited for remote code execution (RCE) and denial of service (DoS) attacks via malicious ICMPv6 Router Advertisement packets.
Additionally, an IPv6 fragmentation bug (CVE-2021-24086) left all Windows versions susceptible to DoS attacks, while a DHCPv6 flaw (CVE-2023-28231) enabled potential RCE through specially crafted calls. Although widespread attacks exploiting these vulnerabilities have not yet occurred, users are strongly advised to apply this month’s Windows security updates without delay, given the heightened risk associated with CVE-2024-38063.
