Blog

This week's Patch Tuesday brought urgent news from Microsoft: a critical TCP/IP Remote Code Execution (RCE) vulnerability, identified as CVE-2024-38063, has been discovered that affects all Windows systems utilizing IPv6. This vulnerability presents a heightened risk due to its increased likelihood of exploitation, making immediate action imperative for all users.

The Vulnerability in Focus

Discovered by security researcher XiaoWei of Kunlun Lab, this newly identified threat stems from an Integer Underflow weakness. Attackers can exploit this flaw to trigger buffer overflows on vulnerable systems, potentially executing arbitrary code. The vulnerability affects Windows 10, Windows 11, and various Windows Server systems—basically, any Windows system where IPv6 is enabled by default. The urgency is compounded by Microsoft's classification of this vulnerability as "exploitation more likely," highlighting the potential for threat actors to develop consistent exploit methodologies.

Why This Matters

What sets this vulnerability apart is its wormable nature. As described by Dustin Childs, Head of Threat Awareness at Trend Micro's Zero Day Initiative, this flaw allows remote, unauthenticated attackers to execute code by merely sending specially crafted IPv6 packets. This means the vulnerability could propagate through networks in a manner similar to a worm, drastically increasing its potential impact across unpatched systems.

Compounding the issue, blocking IPv6 at the local Windows firewall is ineffective because the exploit is triggered before any firewall processing. Therefore, relying solely on firewall configurations is insufficient protective measure against this threat.

Recommended Actions

Microsoft's advisory emphasizes the importance of applying this month's security patches promptly to mitigate the risk. However, acknowledging that immediate patch application may not be feasible in all environments, Microsoft also suggests temporarily disabling IPv6 as a workaround to eliminate the attack surface. Yet, this comes with its challenges. IPv6 has been a mandatory part of Windows since Vista, and disabling it could disrupt functions dependent on its operation.

For those who can apply updates, doing so should be prioritized. According to Microsoft, past instances of similar vulnerabilities have been exploited, making this an attractive target for attackers.

Disable IPv6

On Windows 11, by default, the system uses the Internet Protocol version 6 (TCP/IPv6) and IPv4 protocols in a dual-stack configuration. Although IPv4 is still the primary protocol in local networks, using both versions is a good idea since more and more modern applications depend on the protocol.

However, if IPv6 is causing problems in a specific scenario or you determine there's no need for the networking feature in your network, Windows 11 provides various ways to disable it. For example, disabling IPv6 has been known to fix issues with PC Game Pass games not syncing or installing correctly, in some situations. Microsoft offers a variety of ways to turn off Internet Protocol version 6 through the Settings app, Command Prompt, and PowerShell.

This how-to guide will teach you the steps to disable the IPv6 networking feature on Windows 11.

How to disable IPv6 from Settings on Windows 11

To disable the IPv6 protocol on Windows 11, use these steps:

1. Open Settings.
2. Click on Network & internet.
3. Click the "Advanced network settings"
4. Under the "Related settings" section, click the "More network adapter options"
5. Right-click the network adapter and choose the Properties 
6. Clear the "Internet Protocol Version 6 (TCP/IPv6)"
7. Click the OK 

Once you complete the steps, the IPv6 protocol will no longer be available on the system. Although it's not a requirement, restarting the computer to ensure the changes apply correctly is a good idea.

Historical Context of IPv6 Vulnerabilities

This isn't the first time Windows users have faced IPv6-related security issues. Over recent years, Microsoft has addressed several significant flaws, including the notorious "Ping of Death" vulnerabilities (CVE-2020-16898/9) and a fragmentation bug (CVE-2021-24086), both capable of RCE and denial-of-service attacks. This trend underscores the ongoing risk these protocols pose if not adequately protected.

Final Thoughts

While there are no widespread exploits actively targeting this particular vulnerability yet, the potential for harm remains high. At Critical Path Security, we strongly advise all organizations and individual users to apply the available patches without delay. Remaining proactive in patch management is integral to defending against potential cyber threats. Ensure that your systems are fortified against CVE-2024-38063 and similar vulnerabilities to protect your data and operations.