Overview: A critical vulnerability, CVE-2024-38063, has been identified in the Windows TCP/IP stack, impacting nearly all versions of Windows, including servers and workstations. This vulnerability, which affects the implementation of IPv6, is particularly concerning due to its potential to grant an attacker SYSTEM-level privileges, the highest level of access on a Windows machine.
Details:
- Vulnerability Scope: This flaw is universal across all Windows systems with IPv6 enabled, putting both servers and workstations at risk. It could be particularly nasty, as it affects a wide range of Windows versions.
- Attack Vector: The vulnerability can be exploited remotely by an attacker who sends a specially crafted IPv6 packet to an internet-facing Windows device. It is a zero-click exploit, meaning no user interaction is required, significantly increasing the risk.
- Impact: Once exploited, the attacker gains remote code execution capabilities under SYSTEM privileges, allowing them full control over the affected machine.
- Exploit Characteristics: This is a zero-click remote code execution vulnerability, requiring only that the attacker has network access to the target device with IPv6 enabled.
Recommendations:
- Immediate Action: Any machine with IPv6 enabled should be patched immediately and IPv6 Disabled as a precaution. Compromised hosts should be taken offline immediately and environments should be assessed for indicators of compromise.
(Update) Security research suggests that local firewall on windows will not be enough to stop exploitation of the vulnerability, as the exploit occurs before firewall controls are applied.
- Incident Response: If a system is suspected to be compromised, take it offline immediately and conduct a comprehensive assessment for indicators of compromise.
- Ongoing Monitoring: Although exploitation of this vulnerability has not yet been observed in the wild, the potential severity warrants close attention. Detection methods are still being developed, but security vendors like I360 are actively monitoring the situation for any new developments.
This vulnerability is particularly dangerous due to its zero-click nature and the high privileges it can grant to an attacker. It is crucial to take immediate action to secure your systems against CVE-2024-38063, as failure to do so could result in significant security breaches and full control of affected devices by malicious actors.
Concerned over this vulnerability? Contact the experts at Intgerity360 and we will help defend your organisation.