Microsoft’s August patch addresses a critical vulnerability in the Windows TCP/IP stack. We examine the threat and explain the simple way organisations can protect their systems against IPv6-based attacks.
In August, Microsoft released a security update for a critical vulnerability (CVE-2024-38063) in IPv6 in the Windows TCP/IP stack.
The flaw allows remote attackers to gain privileged access and execute malicious code. A vulnerability that poses serious threats to organisations and people.
In this blog, we’ll provide everything you need to know about the vulnerability and how you can protect your system.
The background
IPv6 in Windows TCP/IP stack has been subject to various vulnerabilities and exploitation in recent years.
So, what have been the causes?
Perhaps the main reason is that IPv6 is turned on by default in Windows, even if a network doesn’t use it.
This creates possible attack routes, especially since many organisations focus on securing IPv4 and ignore IPv6.
Furthermore, IPv6 has more complex protocols than IPv4, like Neighbour Discovery (NDP) and Router Advertisements (RA), all of which can be exploited.
Windows has long provided backward compatibility and legacy protocol support, which introduces additional vulnerabilities. For example, older IPv6 tunnelling protocols can be abused by attackers to bypass network security measures.
How the IPv6 vulnerability works
The vulnerability lies in the tcpip.sys driver, which manages network traffic in Windows.
When IPv6 is enabled, Windows attempts to process all incoming traffic using this protocol. Due to improper validation of incoming IPv6 packets, certain types of maliciously crafted packets can bypass security checks and execute arbitrary code on the system.
The packets trigger the flaw in the TCP/IP stack, bypassing normal security checks and allowing the malicious code to be executed.
As this flaw can be exploited remotely, the attacker doesn’t need physical access to the machine. By sending specially constructed packets over the network, they’re able to gain the same privileges as the logged-in user, allowing them to take control of the system.
Which, obviously, poses a severe risk to your organisation.
The devastating potential of the IPv6 exploit
Once exploited, attackers can take over the compromised system, putting data, resources, and the entire system in serious jeopardy. The costs of which can be devastating to an organisation’s finances, operations, and reputation.
And with IPv6 being widely used and enabled by default on all Windows systems, it’s An exploit with the capacity to affect a great many users.
The attack is also scalable. There is no need for user interaction or direct physical access, which makes it a particularly attractive option for cybercriminals looking to launch widespread attacks.
Which is exactly why it’s imperative for organisations to act swiftly.
Mitigation: How to protect your system
Thankfully, Microsoft has released a patch for this vulnerability as part of their August 2024 Patch Tuesday report.
If you haven’t updated your systems yet, then we strongly advise immediate action.
In addition to applying the patch, Microsoft also advises the following action to further mitigate the risk:
Disable IPv6 if not required
This is the most effective solution. If your network does not rely on IPv6, disable it to close the vulnerability completely. Systems without IPv6 enabled are immune to this specific attack.
Final thoughts
The IPv6 vulnerability (CVE-2024-38063) underscores the importance of network security.
While it’s important for the growth of online activity to have these kinds of protocols enabled, we also need to be vigilant to the risks and challenges.
The critical nature of this vulnerability, combined with its ease of exploitation and potential for severe damage, highlights why addressing it promptly is essential.
Take the time to patch your systems, evaluate your use of IPv6, and ensure that your network is adequately protected from threats like this.
By doing so, you’ll safeguard your systems against future vulnerabilities and maintain a stronger security posture in an ever-evolving digital landscape.
Key takeaways
Microsoft patched a critical vulnerability (CVE-2024-38063) in Windows TCP/IP, enabling remote code execution.
The flaw allows attackers to exploit improperly validated IPv6 packets, bypassing security checks.
IPv6 is often ignored in favour of IPv4 security, despite being enabled by default in Windows.
Exploiting the flaw risks severe damage to systems, finances, and reputation.
Apply the patch and disable IPv6 if unused to mitigate the risk.
Let's talk!
30-day free trials and flexible contracts
Book a free Discovery Call and learn more about our AI-powered security operations service, XDR Rapid Protect.
Get more information on:
- 30-day free trials for new partnerships
- Flexible, 30-day contracts (no lock-in)
- Microsoft-funded proof of concepts
Next steps
Like this guide? Then don’t forget to share it with your followers.
Great emails start here
Sign up for free resources and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
Got a question? Need more information?
Our expert team is here to help.