A critical vulnerability has been discovered in the Windows TCP/IP stack that allows unauthenticated remote code execution (RCE). This vulnerability can be exploited remotely by sending specially crafted IPv6 packets to the target system. Successful exploitation could allow an attacker to execute arbitrary code on the target system and affects all supported versions of Windows and Windows Server.
Windows TCP/IP RCE Vulnerability Impacts All Systems with IPv6 Enabled
Researcher XiaoWei from Kunlun Lab has reported the discovery of a critical remote code execution vulnerability in the Windows TCP/IP stack. The vulnerability, identified as CVE-2024-38063, carries a CVSS score of 9.8 and can be exploited without user interaction (zero-click). While details are scarce at the time of writing, it is known that an attacker can send IPv6 packets containing specially crafted payloads to the target system. CVE-2024-38063 affects all supported versions of Windows 10, 11, and Windows Server. It should be explicitly noted that the issue affects only IPv6 users, as it is impossible to send the said crafted v6 packets to an IPv4 address.
Still, the research uncovers that CVE-2024-38063 leads to a buffer overflow. As a result, it allows an attacker to execute arbitrary code at the SYSTEM privileges level on the target system. This could potentially result in full control over the compromised system. Also, I expect to see more details as time goes on and the patch is installed on more systems, so the researcher can release the info with less risk.
Impact of such a vulnerability may have been tremendous, if Microsoft decided to ignore it or just missed it as a whole. These days, IPv6 is not that widespread, but experts around the world consider it to be the future of the Internet. And now, imagine the hackers being able to deploy malware to any device, any time without any user interaction. This is what could have happened should this flaw appear a decade later, after the global IPv6 introduction.
Microsoft’s Response and Mitigation
Microsoft noted that this is not the first vulnerability of this kind, and attackers have actively exploited previous ones. The company anticipates that attackers will eventually develop exploits to take advantage of this vulnerability. Fortunately, Microsoft already offers a fix in the form of its latest, August 2024 Patch Tuesday update. Additionally, organizations are advised to monitor network activity and implement network segmentation. These measures are intended to limit lateral movement of the threat in the event of a system compromise.
Microsoft also suggested a temporary workaround involving the disabling of the IPv6 protocol. However, the issue lies in the fact that IPv6 is enabled by default on most systems, and some Windows components rely on it. Disabling IPv6 could, therefore, disrupt the functionality of other Windows components.
