CVE-2024-38063 is a critical remote code execution vulnerability in Windows that can be exploited via specially crafted IPv6 packets. Microsoft has released patches, and SonicWall has enhanced protections to mitigate exploitation risks associated with this flaw. #CVE2024-38063 #WindowsIPv6 #tcpip.sys #SonicWall #CyberKunLun
Keypoints
- CVE-2024-38063: A critical remote code execution vulnerability in Windows systems.
- CVSS Score: 9.8, indicating high severity.
- Nature: Zero-click and wormable, allowing remote code execution via IPv6 packets.
- Affected Systems: Windows 10, Windows 11, and Windows Server.
- Mitigation: Microsoft has released patches; users are urged to apply them immediately.
- SonicWall Protections: Enhanced firewall protections against malicious IPv6 fragmented packets.
- Patch Details: Introduces checks in the tcpip.sys driver to prevent exploitation via malformed IPv6 packets.
- Researcher: Discovered by a Chinese researcher from Cyber KunLun and disclosed by Microsoft.
MITRE Techniques
- [T1203] Remote Code Execution – Exploitation of vulnerabilities to execute arbitrary code on remote systems. Quote: ‘Remote Code Execution (T1203) Exploitation of vulnerabilities to execute arbitrary code on remote systems.’
- [T1203] Exploitation for Client Execution – Utilizing vulnerabilities in network protocols to execute code on client systems. Quote: ‘Exploitation for Client Execution (T1203) Utilising vulnerabilities in network protocols to execute code on client systems.’
- [T1071] Command and Control – Establishing a command and control channel for remote exploitation. Quote: ‘Establishing a command and control channel for remote exploitation.’
Indicators of Compromise
- [Network] context – malicious IPv6 fragmented packets, and IPv6 fragment was dropped in logs