Introduction
The vulnerability CVE-2024-38063 is a critical security issue in the Windows kernel, particularly within the tcpip.sys driver, which is used for the management of TCP/IP packet processing. This vulnerability has been assigned a CVSS score of 9.8, this allows remote attackers to exploit IPv6 and potentially resulting in denial-of-service conditions or execution of remote code. This article aims to explore the methods for detecting, exploiting, and mitigating around this vulnerability.
Detection
Detecting CVE-2024-38063 involves monitoring network traffic for unusual IPv6 packet patterns that might exploit the vulnerability
If you need to check if your endpoint is IPv6 routable use the "ipconfig" command in windows.
If the IPv6 starts with 2 or 3 then you might have a routable IPv6 address
Powershell one line to help in detecting if ipv6 is enabled on the system
Get-NetAdapter | Where-Object { $_.Status -eq 'Up' } | Select-Object Name, @{Name='IPv6Enabled';Expression={($_.IPv6Enabled -eq $true)}}If you need to find this vulnerability at scale please reach us via securedots.in
Exploitation
At the time of writing there has not been any exploit that is able to achieve remote code execution on the host but they are able to crash the machine.
Mitigation
Patch : Ensure that systems are updated with the latest security patches from Microsoft, particularly those addressing vulnerabilities in tcpip.sys. The patch released on August 13, 2024, specifically addresses this vulnerability.
Network Security Measures: Employ firewalls and intrusion detection systems to monitor and filter IPv6 traffic. Implement rules to block malformed IPv6 packets that could exploit the vulnerability.
Comments