Attacker Value
Very High
(2 users assessed)
Exploitability
Low
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
8

CVE-2024-38063

Disclosure Date: August 13, 2024
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Windows TCP/IP Remote Code Execution Vulnerability

Add Assessment

5
Ratings
Technical Analysis

On August 13, 2024, Microsoft disclosed CVE-2024-38063, an integer underflow vulnerability (CWE-191) affecting the IPv6 component of the Windows TCP/IP networking stack.

The affected Windows versions are summarized below (For a detailed list see the Microsoft advisory):

  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012
  • Windows Server 2008

We can see that this vulnerability affects a broad number of Windows systems, including all recent major versions and several older versions, dating back to Server 2008.

The vulnerability has been given a critical severity rating by Microsoft, with an accompanying CVSS score of 9.8. This score rates the vulnerability as both unauthenticated, and having low attacker complexity. Such a score indicates that this vulnerability may be a viable candidate for a remote code execution exploit. The low attacker complexity rating is likely an indication as to the ease in triggering the vulnerability, and not actually successfully exploiting the vulnerability to achieve RCE. Given that modern Windows kernels employ numerous memory corruption mitigations (such as Kernel ASLR, and Kernel CFG), and hardening techniques (such as PatchGuard and HyperGuard), actually building a reliable remote code execution exploit is likely difficult. It is worth noting that on older affected systems, like Server 2008, exploitation may be easier.

If we diff the patched tcpip.sys driver against an older, unpatched copy of the driver, we can see that the function tcpip!Ipv6pProcessOptions has been modified slightly. While it is currently unclear as to the root cause of the vulnerability based on this changed function, as there are no other notable changes in the tcpip.sys driver, it is likely that IPv6 options processing is at play.

Given what we currently know about the vulnerability, I have given this an attacker value rating of very high, as a potential unauthenticated RCE in a default installation of Windows is a high value exploit for an attacker. However, given the likely complexity in building a successful RCE exploit targeting the broad gambit of affected Windows versions, I have given the exploitability rating as low.

The best protection at this time is to apply the official patch from Microsoft. If this is not possible, disabling IPv6 on the network adapter is the next best mitigation. Organizations can also evaluate if ingress IPv6 traffic is necessary on their networks.

4
Ratings
Technical Analysis

As a quick addendum to @sfewer-r7’s excellent assessment, I’ve seen this vulnerability compared with CVE-2020-16898 in a few news articles, alongside the dreaded “w” word (“wormable”). Notably, that older bug never got exploited broadly — in fact, I still haven’t seen any good technical evidence that it was exploited at all.

There’s no guarantee this new vuln will follow that same trajectory, but if it actually gets used in the wild, I’d expect it to be used in highly targeted attacks by skilled adversaries (personally, my money’s on Chinese state-sponsored threat actors).

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 1507,
  • windows 10 1607,
  • windows 10 1809,
  • windows 10 21h2,
  • windows 10 22h2,
  • windows 11 21h2,
  • windows 11 22h2,
  • windows 11 23h2,
  • windows 11 24h2,
  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012,
  • windows server 2012 r2,
  • windows server 2016,
  • windows server 2019,
  • windows server 2022,
  • windows server 2022 23h2

Additional Info

Technical Analysis