Windows TCP IP Remote Code Execution

Priority: Critical

Summary:
On 9th February Microsoft released a number of fixes for vulnerabilities in Windows’ TCP/IP implementation, including two that can lead to remote code execution (RCE).¹

The associated CVE references are CVE-2021-24074², CVE-2021-24094³, and CVE-2021-24086⁴. The first two represent the RCE vulnerabilities, and the third is a denial of service (DoS) vulnerability.

Microsoft state that the two RCE vulnerabilities are difficult to exploit and are, therefore, less likely to be used by threat actors in the short term. However, they believe the DoS exploit will be easier for malicious actors to develop and we recommend customers act quickly in applying this month’s security updates. There is currently no evidence to suggest that these vulnerabilities are being exploited in the wild, though their discovery will draw attention from malicious groups who will attempt to reverse engineer the fixes and develop exploits, hence Microsoft’s recommendation for expedited patching.

The vulnerabilities were discovered by Microsoft during their ongoing security hardening efforts, and further technical details have not been released.

Affected Products:
The vulnerabilities exist in Microsoft’s implementation of the TCP/IP stack and, therefore, affect all Windows versions.

Prevention:

Microsoft have released fixes in February’s Windows Security Updates. Customers should, therefore, act quickly to apply these fixes. If this is not possible, Microsoft have released information on workarounds, which are outlined in the following section and available at the URLs cited in this bulletin’s sources.

React:
This vulnerability will be picked up in regular VI scanning for ITC customers that have the managed VI service. ITC’s Sentinel SIEM service actively monitors for indications of attackers who may leverage vulnerabilities such as these to gain access to customer networks.

If customers are not able to apply the security fixes, the following workarounds have been provided by Microsoft and do not require rebooting the affected system:

CVE-2021-24074 workarounds:

1. Set sourceroutingbehavior to “drop” using the following command:

   netsh int ipv4 set global sourceroutingbehavior=drop

IPv4 Source routing is considered insecure and is blocked by default in Windows; however, a system will process the request and return an ICMP message denying the request. The workaround will cause the system to drop these requests altogether without any processing.

To undo the workaround, use the following command:

netsh int ipv4 set global sourceroutingbehavior=dontforward

2. Configure firewall or load balancers to disallow source routing requests.

CVE-2021-24094 and CVE-2021-24086 workarounds:

1. Set global reassemblylimit to 0 using the following command:

   netsh int ipv6 set global reassemblylimit=0

   
   There is a potential for packet loss when discarding out-of-order packets. To undo the workaround, use the following command to restore the default value of 267748640:

   netsh int ipv6 set global reassemblylimit=267748640

2. Configure firewall or load balancers to disallow IPv6 UDP fragmentation.
   
   
   Note that these vulnerabilities are mitigated by the fact that IPv6 Link-local addresses are not routable on the internet and cannot be reached by remote attackers, therefore an attack would need to originate from the same logical network for systems that are only configured with IPv6 Link-local addresses.

Sources:
[1] https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24074
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094
[4] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086