CVE-2024-38063 Windows TCP/IP Remote Code Execution Vulnerability

What Happened

On August 13th, 2024, Microsoft issued a critical advisory for a vulnerability identified in IPv6 components used by the Windows operating system. This vulnerability within the Windows TCP/IP stack could potentially allow for attackers to perform remote code execution (RCE) by flooding victim endpoints with IPv6 packets, triggering an integer underflow state. Windows based endpoints with IPv6 enabled are all potentially vulnerable to this exploit. Due to the exposure of endpoints with IPv6 enabled and the impact this vulnerability could have, CVE-2024-38063 has been scored a 9.8 (Critical) on the CVSS scale.

Proof of concept (PoC) code has been released, however, it is unable to trigger actual remote code execution. It’s not completely harmless, though, as it has been proven to allow for denial of service (DoS) on victim endpoints by causing a blue screen of death (BSOD) crash. Additionally, the PoC author believes that threat actors with enough patience and expertise would be able to use this PoC to implement a true remote code execution attack.

What That Means

At first glance, this CVE seems almost as bad as it can get, however there are some additional considerations to take into account before jumping into action. This vulnerability only affects Windows endpoints that have IPv6 enabled. This is a feature that is enabled by default, however, it is also understood that a victim would also need to actually have an IPv6 address assigned. For an endpoint to truly be vulnerable, it must have IPv6 enabled and have an IPv6 address. Proof of concept code requires that the attacker system can talk to the victim system over IPv6. Systems with IPv6 disabled are not vulnerable to this exploit. 

If the victim system is vulnerable to this attack and is targeted by the single currently known PoC, the victim will see a large influx of IPv6 traffic before it locks up in a blue screen of death crash. To see this in action or read up on any of the technical details, take a look at the author’s code on github.

Microsoft has provided official security patches for this vulnerability in the August monthly rollup and cumulative security updates for affected Windows 10, Windows 11, and Windows Server systems.

At this time, Microsoft has not observed any exploitation of CVE-2024-38063 in the wild.

Who’s Impacted

The following devices are impacted

• Windows 10
• Windows 11
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2022

How Would I Know and What Should I Do

Update Windows systems - the updates provided by Microsoft have been rolled out and should be applied automatically through the typical Windows Update process. See the bottom section of this article for update information specific to each affected operating system.

If updating is not possible, consider disabling IPv6 if it is not needed. This should be considered only a temporary fix as the most recommended and long-term solution would be to apply patches. Take care when disabling IPv6 on critical infrastructure as it may cause some unanticipated network disruptions.

Monitor your network for abnormally large amounts of IPv6 traffic directed at single targets. If systems are being targeted for this CVE, they may experience instability or crashing.

When Will Microsoft Fix It

As of 2024-08-13, Microsoft has released updates for all supported and affected systems.

How Blumira Can Help

Blumira continues to actively monitor this issue, and look for ways that we can detect any stage of exploitation of these vulnerabilities.

If you are an MSP and not already using Blumira, please submit a request for a “free for internal use” NFR account.

Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.