Microsoft IPv6: Protect your system against critical vulnerabilities

In August, Microsoft released a security update for a critical vulnerability (CVE-2024-38063) in IPv6 in the Windows TCP/IP stack.

The flaw allows remote attackers to gain privileged access and execute malicious code. A vulnerability that poses serious threats to organisations and people.

In this blog, we’ll provide everything you need to know about the vulnerability and how you can protect your system.

The background

IPv6 in Windows TCP/IP stack has been subject to various vulnerabilities and exploitation in recent years.

So, what have been the causes?

Perhaps the main reason is that IPv6 is turned on by default in Windows, even if a network doesn’t use it.

This creates possible attack routes, especially since many organisations focus on securing IPv4 and ignore IPv6.

Furthermore, IPv6 has more complex protocols than IPv4, like Neighbour Discovery (NDP) and Router Advertisements (RA), all of which can be exploited.

Windows has long provided backward compatibility and legacy protocol support, which introduces additional vulnerabilities. For example, older IPv6 tunnelling protocols can be abused by attackers to bypass network security measures.

How the IPv6 vulnerability works

The vulnerability lies in the tcpip.sys driver, which manages network traffic in Windows.

When IPv6 is enabled, Windows attempts to process all incoming traffic using this protocol. Due to improper validation of incoming IPv6 packets, certain types of maliciously crafted packets can bypass security checks and execute arbitrary code on the system.

The packets trigger the flaw in the TCP/IP stack, bypassing normal security checks and allowing the malicious code to be executed​.

As this flaw can be exploited remotely, the attacker doesn’t need physical access to the machine. By sending specially constructed packets over the network, they’re able to gain the same privileges as the logged-in user, allowing them to take control of the system.

Which, obviously, poses a severe risk to your organisation.

The devastating potential of the IPv6 exploit

Once exploited, attackers can take over the compromised system, putting data, resources, and the entire system in serious jeopardy. The costs of which can be devastating to an organisation’s finances, operations, and reputation.

And with IPv6 being widely used and enabled by default on all Windows systems, it’s An exploit with the capacity to affect a great many users.

The attack is also scalable. There is no need for user interaction or direct physical access, which makes it a particularly attractive option for cybercriminals looking to launch widespread attacks.

Which is exactly why it’s imperative for organisations to act swiftly.

Mitigation: How to protect your system

Thankfully, Microsoft has released a patch for this vulnerability as part of their August 2024 Patch Tuesday report.

If you haven’t updated your systems yet, then we strongly advise immediate action.

In addition to applying the patch, Microsoft also advises the following action to further mitigate the risk:

Disable IPv6 if not required

This is the most effective solution. If your network does not rely on IPv6, disable it to close the vulnerability completely. Systems without IPv6 enabled are immune to this specific attack.

Final thoughts

The IPv6 vulnerability (CVE-2024-38063) underscores the importance of network security.

While it’s important for the growth of online activity to have these kinds of protocols enabled, we also need to be vigilant to the risks and challenges.

The critical nature of this vulnerability, combined with its ease of exploitation and potential for severe damage, highlights why addressing it promptly is essential.

Take the time to patch your systems, evaluate your use of IPv6, and ensure that your network is adequately protected from threats like this.

By doing so, you’ll safeguard your systems against future vulnerabilities and maintain a stronger security posture in an ever-evolving digital landscape.

Key takeaways