Microsoft urges customers to fix a critical TCP/IP remote code execution (RCE) flaw, tracked as (CVSS score 9.8), in the TCP/IP stack. The vulnerability impacts all systems with IPv6 enabled (IPv6 is enabled by default).
An unauthenticated attacker can exploit the flaw by repeatedly sending IPv6 packets, including specially crafted packets, to a Windows machine which could lead to remote code execution.
Microsoft confirmed that a threat actor can exploit this flaw in a low-complexity attack and its exploitability assessment labels the issue as “exploitation more likely.” This label suggests that Microsoft is aware of past instances of this type of vulnerability being exploited.
Kunlun Lab’s discovered the flaw several months ago, he urged customers to apply the patches because the “exploitation is more likely.”
The flaw is a buffer overflow issue that can be exploited to achieve arbitrary code execution on vulnerable Windows 10, Windows 11, and Windows Server systems.
XiaoWei pointed out that blocking IPv6 on the local Windows firewall cannot prevent the exploitation of the issue because the vulnerability is triggered before it is processed by the firewall.
Microsoft recommends disabling IPv6 as a mitigation measure.
The issue was addressed by Microsoft with the release of Patch Tuesday security updates for August 2024 that also fixed the following actively exploited flaws:
CVE | Title | Severity | CVSS | Public | Exploited | Type |
Microsoft Project Remote Code Execution Vulnerability | Important | 8.8 | No | Yes | RCE | |
Scripting Engine Memory Corruption Vulnerability | Important | 7.5 | No | Yes | RCE | |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP | |
Windows Kernel Elevation of Privilege Vulnerability | Important | 7 | No | Yes | EoP | |
Windows Power Dependency Coordinator Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP | |
Windows Mark of the Web Security Feature Bypass Vulnerability | Moderate | 6.5 | No | Yes | SFB |
(SecurityAffairs – hacking, TCP/IP)