Which Windows systems are affected by CVE-2024-38063?

CVE-2024-38063 impacts all current Windows versions, including Windows 10, Windows 11, and Windows Server versions.

How does CVE-2024-38063 work, and what makes it dangerous?

CVE-2024-38063 is an Integer Underflow vulnerability affecting the Windows kernel’s IPv6 parser. It could be exploited even if the system’s firewall is active, as the malicious packets are processed before reaching the firewall. If successfully exploited, this vulnerability could lead to a buffer overflow, enabling arbitrary code execution and allowing the attack to spread across networks.

What mitigation strategies are recommended for CVE-2024-38063?

Microsoft recommends applying the security patch as the primary solution. Disabling IPv6 is another option, though it may introduce operational risks in environments where IPv6 is necessary. Experts like Brian Hysell recommend patching rather than disabling IPv6 in larger organizations. Chris Bates suggests disabling IPv6 if it is not actively used, while Stephen Fewer advises applying the patch quickly, especially in environments where disabling IPv6 could disrupt critical operations.

Should IPv6 be disabled as a mitigation for CVE-2024-38063?

Disabling IPv6 can be an effective mitigation strategy, but it depends on the environment. While some experts recommend it if IPv6 is not actively used, others caution that disabling IPv6 could lead to unexpected issues in environments where IPv6 is essential. Organizations should weigh the risks and apply the patch as the primary solution.

Knowledge

An analysis of the critical flaw in the Windows IPv6 TCP/IP stack

Q: What is the critical Windows TCP/IP vulnerability addressed in Microsoft's August 2024 Patch Tuesday?

The critical Windows TCP/IP vulnerability is tracked as CVE-2024-38063 and has a CVSS score of 9.8. It is a Remote Code Execution (RCE) vulnerability classified as 'wormable,' meaning it could spread across networks without user interaction. The vulnerability is an Integer Underflow affecting the IPv6 protocol, allowing unauthenticated attackers to execute arbitrary code by sending specially crafted IPv6 packets.

published: Aug. 16, 2024

Take action: The flaw lies in the Windows kernel’s IPv6 parser and can be exploited even if the system’s firewall is active, as the malicious packets would be processed before they reach the firewall. Time to patch, or disable IPv6 on Windows risking network issues.

Learn More

Microsoft released patch for a critical Windows TCP/IP Remote Code Execution (RCE) vulnerability as part of its August Patch Tuesday updates. Tracked as CVE-2024-38063 (CVSS score 9.8) and has generated significant discussion within the cybersecurity community due to its potential impact. The vulnerability is classified as "wormable," meaning it could spread across networks without user interaction.

CVE-2024-38063 is an Integer Underflow vulnerability affecting the IPv6 protocol on Windows systems. It allows unauthenticated attackers to remotely execute code by sending specially crafted IPv6 packets. If successfully exploited, this vulnerability could lead to a buffer overflow, enabling arbitrary code execution on targeted systems running Windows 10, Windows 11, and Windows Server versions.

Cybersecurity expert Marcus Hutchins highlighted that the issue lies within the Windows kernel’s IPv6 parser and could be exploited even if the system’s firewall is active, as the malicious packets would be processed before they reach the firewall.

The vulnerability impacts all current Windows versions:

Windows 10
Windows 11
Windows Server

Microsoft has provided guidance stating that systems are not affected if IPv6 is disabled. However, opinions vary on whether disabling IPv6 is a viable mitigation. While some security professionals argue that disabling IPv6 is an effective approach, especially if it is not in use, others caution that this could introduce operational risks in environments where IPv6 is essential.

Brian Hysell, Associate Principal Consultant at Synopsys Software Integrity Group, recommends applying the patch as the primary solution, noting that disabling IPv6 could lead to unexpected issues in larger organizations.
Chris Bates, CISO at SandboxAQ, supports disabling IPv6 if it is not actively used, framing it as a straightforward method for reducing the attack surface.
Stephen Fewer, Principal Security Researcher at Rapid7, emphasizes that this vulnerability is specific to Microsoft’s implementation of IPv6. He advises organizations to apply the patch quickly, especially in environments where disabling IPv6 could disrupt business-critical operations.

Update - A proof-of-concept (PoC) exploit code for CVE-2024-38063, has been released, making it easier for threat actors to exploit the flaw. This vulnerability affects Windows 10, Windows 11, and Windows Server systems with IPv6 enabled.

An analysis of the critical flaw in the Windows IPv6 TCP/IP stack

Read More
State of (in)security - Week 37, 2024
State of (in)security - Week 28, 2024
Okta security incident history - let's learn from …
State of (in)security - Week 9, 2024
State of (in)security - Week 15, 2026