On August 13, 2024, Microsoft disclosed a critical vulnerability, CVE-2024-38063, as part of its Patch Tuesday updates [1], [2]. This vulnerability affects the TCP/IP protocol, a fundamental communication protocol used for connecting devices on the Internet and enabling services like the World Wide Web and email. With a CVSS score of 9.8 (Critical), this vulnerability is considered critical because it can be exploited remotely and has the potential to be "wormable," meaning it could spread across networks without requiring user interaction. CVE-2024-38063 specifically allows attackers to execute arbitrary code remotely (RCE) on systems that have IPv6 enabled, which is the default setting on affected systems. This vulnerability impacts a wide range of Windows operating systems, including Windows 10, Windows 11, and Windows Server versions from 2008 through 2022. Organizations are strongly advised to update their systems immediately to prevent the risk of exploitation.
In this blog, we explained how the CVE-2024-38063 exploits work and how organizations can defend against CVE-2024-38063 attacks.
CVE-2024-38063: Microsoft Windows IPv6 TCP/IP RCE Explained
CVE-2024-38063 is a critical vulnerability that resides within the Windows TCP/IP stack, specifically targeting the IPv6 subsystem. Patched by Microsoft in August 13, 2024, this vulnerability allows remote code execution (RCE) by exploiting the system’s improper handling of specially crafted network packets [1]. The vulnerability lies in the way these packets are processed, leading to a buffer overflow that can enable attackers to execute arbitrary code on the affected machine.
But Why So Critical?
When Microsoft released the patch on August 13th, the fix for this vulnerability came with a CVSS score of 9.8—an alarmingly high score. But why is it so critical? The answer lies in where this vulnerability exists: right in the heart of the Windows kernel, within one of the most easily accessible parts of the operating system. This makes it a prime target for attackers, and its position in the kernel means that an exploit could have devastating consequences, potentially allowing attackers to take full control of the affected system.
How IPv6 Takes Center Stage in Remote Kernel Exploitation?
Well, what makes this vulnerability so interesting? The key lies in how the Windows kernel handles IPv6 extension headers—an often-overlooked yet powerful feature of the Internet Protocol. IPv6 was developed to address the limitations of its predecessor, IPv4, particularly the exhaustion of IP addresses. It also brought along new features like extension headers, which carry additional instructions for processing packets.
But these extension headers, when mishandled, can lead to significant problems. In the case of CVE-2024-38063, the vulnerability is rooted in how fragmented IPv6 packets are processed. When these packets arrive at their destination, they should be reassembled into their original form. However, the Windows kernel’s approach to this reassembly process can be exploited. By sending a large number of specially crafted packets—each with manipulated extension headers—an attacker can overwhelm the system. This overload causes the kernel to mishandle memory, leading to a buffer overflow, where data spills over its allocated space. This overflow creates a pathway for attackers to inject and execute malicious code.
Affected Operating Systems from CVE-2024-38063 RCE Vulnerability
CVE-2024-38063 affects a wide range of Windows operating systems, specifically targeting those with IPv6 enabled.
The affected operating systems include:
-
Windows 10: All versions, as IPv6 is enabled by default. This includes both consumer and enterprise editions.
-
Windows 11: Similar to Windows 10, all versions are vulnerable due to the default IPv6 setting.
-
Windows Server (2008 through 2022): This includes multiple versions, both standard and Server Core installations. These server editions are widely used in enterprise environments, making this vulnerability particularly critical for businesses.
The vulnerability is significant because IPv6 is enabled by default on all these operating systems, making nearly all modern Windows deployments at risk. Microsoft has implemented IPv6 by default to ensure compatibility and support for modern networking needs, which also means that any vulnerability in the IPv6 stack has the potential to impact a large number of systems.
Proof-of-Concept (PoC) for CVE-2024-38063 Exploit
There is a publicly available PoC code for the attack [3], and if you are interested in a more in-depth technical analysis of the vulnerability, a security researcher has provided his detailed breakdown here [4].
This PoC is significant because it systematically constructs malicious packets, fragmenting them and padding them in ways that exploit the vulnerability. Once crafted, the code sends these packets in rapid succession, effectively overwhelming the target system until it falls down to the pressure.
Crafting the Malicious IPv6 Packets
The first step is to create IPv6 packets with these specific, crafted headers.
first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)]) |
Here, the attacker is crafting a packet that includes an IPv6 extension header (IPv6ExtHdrDestOpt). This header, usually harmless, is stuffed with carefully chosen data that will cause problems when the kernel tries to process it. The packet is designed to look like any other network traffic, but inside it carries a payload that can confuse the system.
Fragmenting the Packets
Once the malicious packet is created, the next logical step is to fragment it. IPv6 supports packet fragmentation to ensure that large packets can be broken down into smaller pieces, sent over the network, and then reassembled by the receiving system.
second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa' |
By fragmenting the packet, the attacker introduces a level of complexity that the Windows kernel fails to manage properly. Normally, these fragments would be harmlessly reassembled into the original packet. However, when the packet includes the previously mentioned malicious extension headers, the reassembly process becomes a minefield. The Windows kernel’s mishandling of this process leads to memory corruption—a precursor to more severe exploits like remote code execution.
Flooding the Target System
With the packets ready, the attacker then sends them in rapid succession:
final_ps = [] |
Here, the attacker isn’t just sending a few packets; it’s flooding the target with them. This isn’t just about volume—it’s about timing. By sending a large number of these fragmented, malicious packets, the attacker increases the likelihood that the kernel will process them in a way that triggers the vulnerability. This high-traffic scenario is crucial because it helps create the race conditions needed to exploit the flaw effectively.
Steps to Mitigate the CVE-2024-38063 Vulnerability
As the risk of exploitation from CVE-2024-38063 remains high, immediate action is essential to protect your systems. Here are some targeted steps you can take to mitigate the vulnerability and secure your network against potential attacks:
-
Update Windows Systems
The most critical step in mitigating CVE-2024-38063 is to apply all relevant Windows Security Updates as soon as possible [1]. These patches are specifically designed to address the vulnerability and should be prioritized to protect your systems from potential exploits.
-
Disable IPv6 if Patching is Not Immediate
If you are unable to apply the necessary updates right away, consider disabling IPv6 as a temporary measure to reduce the attack surface. However, be aware that disabling IPv6 can disrupt network services that depend on it, so this should be done cautiously. Remember, this is a short-term solution, and the best long-term protection is to apply the latest security updates.
-
Monitor for Anomalous IPv6 Traffic
Implement continuous monitoring for any unusual or unexpected IPv6 network activity. Detecting such anomalies early can help in identifying potential attempts to exploit the vulnerability, allowing for quicker response and mitigation.
How Picus Helps Simulate CVE-2024-38063 Remote Code Execution (RCE) Attacks?
We also strongly suggest simulating the CVE-2024-38063 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Citrix Bleed, Follina, and Looney Tunables, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for CVE-2024-38063 vulnerability exploitation attacks:
Threat ID |
Threat Name |
Attack Module |
63581 |
Windows TCP/IP Denial of Service Vulnerability Threat |
E-mail Infiltration |
92969 |
Windows TCP/IP Denial of Service Vulnerability Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Complete Security Validation Platform.
References
[1] “Security Update Guide - Microsoft Security Response Center.” Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063. [Accessed: Sep. 02, 2024]
[2] “Security Update Guide - Microsoft Security Response Center.” Available: https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug. [Accessed: Sep. 02, 2024]
[3] “CVE-2024-38063/script/cve-2024-38063.py at main · ynwarcs/CVE-2024-38063,” GitHub. Available: https://github.com/ynwarcs/CVE-2024-38063/blob/main/script/cve-2024-38063.py. [Accessed: Sep. 02, 2024]
[4] M. Hutchins, “CVE-2024-38063 - Remotely Exploiting The Kernel Via IPv6 – MalwareTech,” Aug. 27, 2024. Available: https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html. [Accessed: Sep. 02, 2024]