Windows TCP/IP RCE and DoS Vulnerabilities

Details of critical vulnerabilities in the Windows TCP/IP implementation have been released by Microsoft. These could be exploited on vulnerable Windows and Windows Server systems to cause a denial of service or execute arbitrary code.

Threat ID:: CC-3746
Category:: Exploit
Threat Severity:: High
Threat Vector:: Vulnerability
Published:: 9 February 2021 9:03 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Versions: all supported

Microsoft Windows Server

Threat details

Introduction

Microsoft has released details of denial of service (DoS) and remote code execution (RCE) vulnerabilities affecting the Windows TCP/IP implementation. They state that these vulnerabilities may be exploited by a remote unauthenticated attacker to execute arbitrary code or cause a blue screen fault on any Windows system that is directly exposed to the internet.

Vulnerabilities

The vulnerabilities appear to be the result of flaws in the way the Windows TCP/IP implementation handles IPv4 source routing requests and IPv6 packets that arrive out of sequence. Microsoft has warned that these vulnerabilities pose an elevated risk and that attackers may be able to create DoS exploits quickly.

For further information:

Microsoft Security Response Centre article

Remediation advice

Microsoft released updates to address these vulnerabilities as part of their standard monthly security releases, and states it is essential to apply these updates as soon as practicable. Affected organisations should immediately test and confirm the updates can be applied on the network, and then apply the updates to all Windows systems. Any systems connected directly to the internet should be prioritised:

Organisations that cannot apply the updates immediately should consider applying Microsoft's suggested workarounds to disable IPv6 packet reassembly and drop IPv4 source routing requests without any processing, using the following steps:

netsh int ipv6 set global reassemblylimit=0
netsh int ipv4 set global sourceroutingbehavior=drop

The commands specified above do not require restarting a server. Note that Microsoft has confirmed there is a potential for packet loss when discarding out-of-order packets, which may impact services that depend on IPv6. Commands to reverse the workarounds are included in the Microsoft articles linked above.

An alternative workaround is to configure firewalls or load balancers to disallow source routing requests and IPv6 UDP fragmentation, please see information below from a major vendor:

Palo Alto Networks Threat Brief

Workarounds should only be considered as a temporary measure until security updates can be applied.

Definitive source of threat updates

https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/

CVE Vulnerabilities

Status Reserved

CVE-2021-24074

CVE identifier reserved, summary to be provided when available.

Status Reserved

CVE-2021-24086

CVE identifier reserved, summary to be provided when available.

Status Reserved

CVE-2021-24094

CVE identifier reserved, summary to be provided when available.

Last edited: 18 February 2021 3:01 pm