Exploit for critical IPv6 vulnerability in Windows discovered
Please patch critical IPv6 vulnerability in Windows urgently!
Attackers can remotely execute malicious code on Windows systems using special IPv6 packets. An exploit code for this is now publicly available.
On August 13, Microsoft released patches for a critical vulnerability that allows attackers to remotely execute malicious code on various Windows systems using specially crafted IPv6 packets without any user interaction. A security researcher known under the pseudonym Ynwarcs has now published a PoC code (proof of concept) for this vulnerability on Github.
The vulnerability, registered as CVE-2024-38063 and classified as critical with a CVSS of 9.8, was discovered by a researcher named Wei from the Chinese company Cyber Kunlun. On August 14, he declared on X that he would not publish any details about the vulnerability for the time being in view of the danger it poses.
PoC publication was foreseeable
Microsoft itself certifies that CVE-2024-38063 has a low attack complexity and believes that future exploitation of the vulnerability is likely. It was therefore only a matter of time before someone other than Wei would find a way to exploit the vulnerability. Now that Ynwarcs has succeeded in doing so and the associated exploit code is publicly available, cyberattacks based on the vulnerability are unlikely to be long in coming.
Anyone who wants to protect themselves against such attacks should update their Windows systems immediately if they have not already done so. Patches are not only available for the desktop operating systems Windows 10 and Windows 11, but also for Windows Server 2008 (R2), 2012, 2016, 2019 and 2022.
F
n the event that the August updates cannot yet be installed, for example due to other resulting problems, Microsoft recommends disabling IPv6 for the time being if possible in order to reduce the risk of a successful attack.
Small change with a big impact
In its Github repository for CVE-2024-38063, Ynwarcs refers to an analysis by security researcher Marcus Hutchins from Malwaretech, in which further details on the vulnerability can be found. He worked this out on the basis of adjustments that Microsoft had made to the driver file tcpip.sys in order to patch the vulnerability. There were only minor changes to a single function.
Hutchins himself did not publish a PoC, as reliable exploitation of the bug "proved extremely difficult" for him. According to Ynwarcs, the target system must be made to bundle received packets to a certain degree. "Some adapter and driver pairs are very happy to do this, while others seem to be more reluctant," explains the researcher on Github.
Additional information at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063