NAVANEM
CVE-2024-38063

Windows TCP/IP, IPv6 remote code execution (wormable)

An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.

Overview

CVE-2024-38063 is a critical remote code execution vulnerability in the Windows TCP/IP stack affecting IPv6 packet processing. Microsoft has classified this vulnerability as "Exploitation More Likely" and explicitly warned that it is wormable, meaning it could propagate automatically between vulnerable systems without user interaction. The vulnerability affects every supported Windows version where IPv6 is enabled, which is the default configuration on all modern Windows installations.

Technical Details

The vulnerability exists in the Windows TCP/IP driver (tcpip.sys) and manifests as an integer underflow during IPv6 fragment processing. An unauthenticated attacker can send a crafted sequence of IPv6 packets to a Windows machine, triggering the integer underflow condition. This leads to memory corruption within the kernel, enabling pre-authentication remote code execution.

The critical aspects of this vulnerability include:

  • The vulnerable code path is reached before any authentication occurs
  • Exploitation requires only network access to a target with IPv6 enabled
  • The attack operates at the kernel level via tcpip.sys
  • No user interaction is required

Independent security researchers, including Marcus Hutchins (MalwareTech), have developed denial-of-service proof-of-concept exploits. Successful RCE proof-of-concepts have reportedly been demonstrated privately at security research venues.

Impact

This vulnerability represents one of the most severe Windows network vulnerabilities since EternalBlue. The impact ceiling is enormous due to several factors:

  • Universal exposure: IPv6 is enabled by default on all modern Windows systems
  • Wormable nature: Can spread automatically across networks
  • Pre-auth kernel RCE: No credentials or user interaction needed
  • Affects all supported Windows versions: Both servers and workstations are vulnerable

As of late 2024, no public exploitation in the wild has been reported. The technical complexity of achieving reliable RCE (versus DoS) appears to be the primary limiting factor.

Mitigation

  1. Apply the August 13, 2024 Patch Tuesday cumulative update on all Windows hosts immediately
  2. Interim mitigation: Disable IPv6 on Internet-facing interfaces using PowerShell: Set-NetAdapterBinding -Name <adapter> -ComponentID ms_tcpip6 -Enabled $false (Note: This may break Direct Access and Failover Clustering features)
  3. Audit external firewall rules: Block inbound IPv6 at the network edge if not actively used
  4. Avoid disabling IPv6 on domain controllers without thorough testing

Detection

Monitor Windows Event Logs for tcpip driver crashes. Repeated bugcheck events involving this driver may indicate exploitation attempts. Network-level monitoring for anomalous IPv6 fragment traffic patterns can also help identify potential attacks.