A Flaw in the Windows TCP/IP Protocol Stack

TCP/IP Protocol Stack

A flaw in the Windows TCP/IP protocol stack implementation has been discovered, this is related to driver handling of IPv6 (IP version 6), whereby a threat actor can perform a Denial of Service (DoS) attack and may gain the ability to execute arbitrary code on the target.

This works by exploiting a logic error in TCP/IP.sys, a library of rules within Windows used to connect devices on the internet. The error lies in how the driver parses ICMP communications, which can be triggered remotely with a specifically crafted IPv6 packet.

The logic flaw can be exploited to perform a stack buffer overflow that could be used for a DoS or to gain RCE (Remote Code Execution) on the target. Despite the danger of both potential threats, RCE is difficult to achieve due to the unreliability of injecting code into the Windows kernel space.

The impact:

This exploit can lead to a DoS which in turn implies service downtime, severe network congestion and could even cause blue screens. All of which can cause data corruption, lost time and profitability.

Whilst proof of concept for the RCE does not currently exist in the wild, it is a critical risk, as it could provides a reliable method for the attacker to execute arbitrary commands on the target.

The remediation:

The best mitigation against this vulnerability is to patch all affected systems that are listed in the first resource below.

TCP/IP Protocol Stack

Source: MSRC, SOPHOS

Risk Crew