Proof-of-concept code released for zero-click critical IPv6 Windows hole
If you haven't deployed August's patches, get busy before others do
Windows users who haven't yet installed the latest fixes to their operating systems will need to get a move on, as code now exists to exploit a critical Microsoft vulnerability announced by Redmond two weeks ago.
The flaw, CVE-2024-38063, has a CVSS score of 9.8 since it would allow an unauthenticated attacker to run code remotely on an unpatched machine by using a specially designed IPv6 packet and spamming it out to find vulnerable machines. The only workaround is to disable IPv6 and rely instead on IPv4 - which isn't realistic for many people.
Windows 10, Windows 11, and Windows Server systems are all vulnerable. At the time, Microsoft said that there was no evidence of the flaw being exploited in the wild, but ranked it "More Likely" that someone would find a way to use it.
And so it came to pass. A coder with the handle Ynwarcs has now released software designed to exploit the vulnerability. They point out that the PoC code is "rather flaky." However, "the easiest way to reproduce the vuln is by using bcdedit /set debug on
on the target system and restarting the machine/VM," they advise.
"This makes the default network adapter driver kdnic.sys, which is very happy to coalesce packets. If you're trying to reproduce the vuln on a different setup, you'll need to get the system in a position where it will coalesce the packets you sent."
Microsoft issued a fix for the problem in the latest Patch Tuesday release on August 13, but it's not uncommon for admins to hold off to see if any patches cause problems (as the August patches did for Linux users) or simply shift them down the queue because of more pressing things needing attention. This has led to the phenomenon of Exploit Wednesday, wherein black hatters would use patch information to attack the recently exposed flaws, although in practice they aren't that quick off the draw.
- Microsoft patches scary wormable hijack-my-box-via-IPv6 security bug and others
- Microsoft's Patch Tuesday borks dual-boot Linux-Windows PCs
- Volt Typhoon suspected of exploiting Versa SD-WAN bug since June
- You probably want to patch this critical GitHub Enterprise Server bug now
On Tuesday Marcus Hutchins, who you may remember as the hacker who thwarted the WannaCry malware attack and was later arrested for teenage computer crimes, published his take on the vulnerability, although without proof-of-concept code.
"Usually, even just reverse engineering the patch to figure out which code change corresponds to the vulnerability can take days or even weeks, but in this case it was instant," he noted.
"It was so easy, in fact, that multiple people on social media told me I was wrong and that the bug was somewhere else. There was exactly one change made in the entire driver file, which it turns out, actually was the bug after all."
Now that this particular vulnerability has received such detailed attention from white hat hackers, the criminals are sure to follow. The zero-click aspect and its ubiquity make this ideal fodder for online scumbags looking to make a buck. So get patching - you have been warned. ®