Patch Now! Windows IPv6 Flaw (CVE-2024-38063) PoC Released

Recently, a critical security vulnerability (CVE-2024-38063) was discovered in Windows 10/11 and Windows Server systems, located within the IPv6 network stack. Exploiting this vulnerability, an attacker can trigger remote code execution merely by sending specially crafted packets to the target device, without requiring any user interaction.

Given the characteristics of remote code execution and the lack of user interaction, this vulnerability is exceedingly dangerous. Microsoft has already addressed this issue in the security updates released in August, and users can mitigate the risk by simply installing the patch.

In its security advisory, Microsoft emphasized that there is no evidence to suggest that the vulnerability has been exploited by hackers. However, Microsoft also acknowledged that, due to the nature of this vulnerability, it is only a matter of time before someone finds a way to exploit it—and that time has now come.

A proof-of-concept (PoC) for the CVE-2024-38063 vulnerability has already been released by a developer on GitHub. The existence of a PoC indicates that the developer has uncovered the basic method of exploiting the vulnerability, and the next step is to leverage the vulnerability to achieve more complex functionality.

The developer, @Ynwarcs, mentioned that the current PoC code is quite unstable, but the simplest way to reproduce the vulnerability is to use the command `bcdedit /set debug on` on the target system, then restart the target system or virtual machine.

This operation enables the default network card driver, kdnic.sys, which is “more than willing” to cooperate with the specially crafted packets. If one wishes to reproduce the vulnerability in different settings, the target system must be in a position where it can merge and send the packets.

The script provided by the developer includes several fields that can be configured, with the most critical being the target system’s IPv6 address. Additionally, it allows for sending multiple batches of different packets—the more packets sent, the greater the stack problem, and the higher the likelihood of triggering the vulnerability.

If your network environment supports IPv6 addresses, it is imperative to ensure that all Windows systems are fully updated with the latest security patches to close this vulnerability. If updating is not immediately possible, consider disabling IPv6 in your network and relying solely on IPv4 addresses for the time being.

Furthermore, configuring the Windows Firewall will not prevent attacks triggered by this vulnerability, as the database is compromised before it even reaches the firewall. Therefore, setting up filters for IPv6 inbound and outbound traffic on the firewall is ineffective.