Due to the Massive Threat of the Windows TCP/IP Vulnerability, Researchers Will Not Disclose Details Anytime Soon
Brook.X
Yesterday, we discussed Microsoft's August routine update, which addressed a vulnerability in Windows TCP/IP. Located within the network stack, this flaw could allow remote code execution by sending specially crafted IPv6 packets to the targeted device.
Notably, this vulnerability is considered a wormable flaw, meaning it can spread laterally across internal networks. If one device within a corporate network is compromised, other devices are also at risk of attack.
Given the significant threat posed by this vulnerability, the security researchers who discovered it, led by Wei from Cyber Kunlun, have stated that they will not disclose the details in the near future.
Wei mentioned on X/Twitter:
"Considering its potential harm, I won't reveal more details shortly. Blocking IPv6 on local Windows firewalls doesn't prevent the exploitation of this flaw, as it is triggered before the firewall can process it."
Microsoft's security bulletin also highlighted that attackers could exploit this vulnerability with low complexity by repeatedly sending IPv6 packets containing specially crafted data. Microsoft acknowledged past instances where similar vulnerabilities were exploited, making it an attractive target for attackers and thus more likely to be exploited.
Both researchers and Microsoft recommend that users immediately install the update to patch this vulnerability. If immediate patching isn't feasible, disabling IPv6 is advised, though this prevents packets from reaching and exploiting the flaw.
However, it's important to note that the IPv6 network protocol is a mandatory part of Windows Vista, Windows Server 2008, and later versions. Microsoft does not recommend disabling IPv6 outright, as this may cause some Windows components to cease functioning.
Researchers from Trend Micro have marked this vulnerability as wormable:
"The worst-case scenario could be the TCP/IP flaw, allowing remote, unauthenticated attackers to achieve code execution by sending specially crafted IPv6 packets to affected targets."
''This means it's wormable, and while disabling the IPv6 protocol is possible, almost all applications have IPv6 enabled by default.''
Over the past few years, several vulnerabilities in Windows IPv6 have emerged, including the TCP/IP flaws CVE-2020-16898/16899, which could be exploited for remote code execution and to launch DoS attacks using malicious ICMPv6 router advertisement packets.
CVE-2021-24086, an IPv6 fragmentation error, made all Windows systems susceptible to DoS attacks, and the DHCPv6 flaw CVE-2023-28231 could also be exploited for remote code execution through specially crafted packets.
