Attacker Value
Low
(2 users assessed)
Exploitability
Low
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

CVE-2021-24074

Disclosure Date: February 25, 2021
CVE-2021-24074 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Windows TCP/IP Remote Code Execution Vulnerability

Add Assessment

6
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very Low
Common in enterpriseUnauthenticatedVulnerable in default configurationDifficult to weaponize
Technical Analysis

This remains a spectacularly new vulnerability with little documentation associated with it beyond Microsoft’s blog here: https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/
In the blog, they report that this vulnerability is associated with IPv4 source routing, but the default blocks against source routing on Windows are not suffcient, as the default configuration allows a Windows system to process ICMP requests with source routing.
Reported as a remote code execution vulnerability, Microsoft claims that it will likely not be weaponized for that purpose quickly, though it might see a DoS exploit in the near-term.
There is a patch, but also, the mitigations provided in the guidance (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24074) involve the creation of a rule blocking source forwarding from the built-in firewall:
netsh int ipv4 set global sourceroutingbehavior=drop
Such a change in the firewall configuration can be deployed by group policy and would not require a reboot. The rule could also be deployed to infrastructure firewalls, but would then only protect against attacks that took place across the firewall; the rules would need to be set on all Windows system host-based firewalls to protect against lateral movement within a network.

Log in to Add Reply
2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Low
Technical Analysis

Not much to add to @bwatters-r7’s findings but just wanted to note that there is a detailed analysis of this vulnerability now at https://www.armis.com/resources/iot-security-blog/from-urgent-11-to-frag-44-microsoft-patches-critical-vulnerabilities-in-windows-tcp-ip-stack/ and there is also a PoC out that snuck into another blog at the end of https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/ under the Bonus: CVE-2021-24074 section.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 1803 publication
Windows 10 Version 1809 publication
Windows Server 2019 publication
Windows Server 2019 (Server Core installation) publication
Windows 10 Version 1507 publication
Windows 10 Version 1607 publication
Windows Server 2016 publication
Windows Server 2016 (Server Core installation) publication
Windows 7 publication
Windows 7 Service Pack 1 publication
Windows 8.1 publication
Windows Server 2008 Service Pack 2 publication
Windows Server 2008 Service Pack 2 (Server Core installation) publication
Windows Server 2008 Service Pack 2 publication
Windows Server 2008 R2 Service Pack 1 publication
Windows Server 2008 R2 Service Pack 1 (Server Core installation) publication
Windows Server 2012 publication
Windows Server 2012 (Server Core installation) publication
Windows Server 2012 R2 publication
Windows Server 2012 R2 (Server Core installation) publication
Windows 10 Version 1909 publication
Windows Server, version 1909 (Server Core installation) publication
Windows 10 Version 2004 publication
Windows Server version 2004 publication
Windows 10 Version 20H2 publication
Windows Server version 20H2 publication
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 10 -,
  • windows 10 1607,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1909,
  • windows 10 2004,
  • windows 10 20h2,
  • windows 7 -,
  • windows 8.1 -,
  • windows rt 8.1 -,
  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016 -,
  • windows server 2016 1909,
  • windows server 2016 2004,
  • windows server 2019 -

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis