Security experts are ratcheting up the urgency for Windows sysadmins to patch a pre-auth remote code execution vulnerability in the Windows TCP/IP stack, warning that zero-click exploitation is very likely.
Technical details on the vulnerability, tracked as CVE-2024-38063, remain scarce but Microsoft’s sparse documentation suggests a worm-like attack is practical on the newest versions of its flagship operating system.
“An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution,” the software giant warned in a critical-severity bulletin.
Microsoft slapped a CVSS severity score of 9.8/10 and stressed that exploits may be trivial to craft, requiring no privileges or user interaction.
Chinese researcher Xiao Wei of Cyber KunLun said he discovered the vulnerability “several months ago” and strongly pushed Windows users to deploy the available patches or disable IPv6 as a temporary mitigation.
“Considering its harm, I will not disclose more details in the short term,” the researcher said on social media.
Under new vulnerability disclosure laws, companies and researchers in China are required to report vulnerabilities to a government authority for review prior to the issue being shared with the product or service owner. Experts have long warned that China-based nation state threat actors are taking advantage of the legal mandate to “stockpile” zero-days for use in APT attacks.
The TCP/IP bug was included in a massive Patch Tuesday release from Microsoft that also covered six zero-days being actively exploited in the wild.
The raw data on the six exploited zero-days:
CVE-2024-38178 — A memory corruption vulnerability in the Windows Scripting Engine allows remote code execution attacks if an authenticated client is tricked into clicking a link in order for an unauthenticated attacker to initiate remote code execution. Successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode. This zero-day was reported by Ahn Lab and the South Korea’s National Cyber Security Center, suggesting it was used in a nation-state APT compromise.
CVE-2024-38189 — A remote code execution flaw in Microsoft Project is being exploited via maliciously rigged Microsoft Office Project files on a system where the ‘Block macros from running in Office files from the Internet policy’ is disabled and ‘VBA Macro Notification Settings’ are not enabled allowing the attacker to perform remote code execution. CVSS 8.8/10.
CVE-2024-38107 — A privilege escalation flaw in the Windows Power Dependency Coordinator is rated “important” with a CVSS severity score of 7.8/10. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said, without providing any IOCs or additional exploit telemetry.
CVE-2024-38106 – Exploitation has been detected targeting this Windows kernel elevation of privilege flaw that carries a CVSS severity score of 7.0/10. “Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” This zero-day was reported anonymously to Microsoft.
CVE-2024-38213 — Microsoft describes this as a Windows Mark of the Web security feature bypass being exploited in active attacks. “An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience.”
CVE-2024-38193 – An elevation of privilege security defect in the Windows Ancillary Function Driver for WinSock is being exploited in the wild. Technical details and IOCs are not available. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.
Microsoft also urged Windows sysadmins to pay urgent attention to major flaw in the Windows Reliable Multicast Transport Driver (RMCAST) that brings remote code execution risks (CVSS 9.8/10); two separate remote code execution issues in Windows Network Virtualization; and an information disclosure issue in the Azure Health Bot (CVSS 9.1).
Related: Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge
Related: Microsoft Warns of Six Windows Zero-Days Being Actively Exploited
Related: Windows Update Flaws Allow Undetectable Downgrade Attacks
Related: Adobe Calls Attention to Massive Batch of Code Execution Flaws
Related: Microsoft Warns of OpenVPN Vulnerabilities, Potential for Exploit Chains
