Windows users who have yet to implement the latest updates to their operating systems are urged to act swiftly, as a critical vulnerability identified by Microsoft has now become exploitable. This flaw, designated CVE-2024-38063, boasts a staggering CVSS score of 9.8, indicating its severity. It permits an unauthenticated attacker to execute code remotely on an unpatched machine by utilizing a specially crafted IPv6 packet, which can be disseminated to identify vulnerable systems. The only temporary solution available is to disable IPv6 and revert to IPv4, a workaround that may not be feasible for many users.
Details of the Vulnerability
All versions of Windows 10, Windows 11, and Windows Server are susceptible to this vulnerability. Initially, Microsoft reported no evidence of the flaw being exploited in the wild but classified it as “More Likely” that it would soon be targeted. This prediction has now materialized, as a developer known as Ynwarcs has released software intended to exploit the vulnerability. While the proof-of-concept (PoC) code is described as “rather flaky,” it provides a straightforward method for reproducing the vulnerability by executing the command bcdedit /set debug on on the affected system and rebooting.
This action activates the default network adapter driver, kdnic.sys, which efficiently coalesces packets. For those attempting to replicate the vulnerability on different setups, it is crucial to configure the system to ensure it can coalesce the packets sent.
Microsoft addressed this issue in the latest Patch Tuesday release on August 13. However, it is not uncommon for system administrators to delay patch installations to monitor for potential issues, as seen with the August updates affecting Linux users. This cautious approach has given rise to a phenomenon dubbed “Exploit Wednesday,” where malicious actors leverage patch information to target newly exposed vulnerabilities, although they often do not act as quickly as one might expect.
On Tuesday, Marcus Hutchins, known for his role in thwarting the WannaCry malware attack and his subsequent legal troubles, shared insights regarding the vulnerability, albeit without providing proof-of-concept code. He remarked on the unusually rapid identification of the flaw, stating, “Usually, even just reverse engineering the patch to figure out which code change corresponds to the vulnerability can take days or even weeks, but in this case it was instant.” Hutchins noted that there was a single change made in the driver file that ultimately turned out to be the bug.
With this vulnerability now under the scrutiny of white hat hackers, it is only a matter of time before malicious actors take notice. The zero-click nature of the exploit, combined with its widespread impact, makes it an appealing target for cybercriminals seeking to capitalize on the situation. Users are strongly encouraged to prioritize patching their systems to mitigate the risks associated with this vulnerability.
