FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-38063

Integer Underflow (Wrap or Wraparound) (CWE-191)

Published: Aug 13, 2024

010
CVSS 9.8EPSS 0.09%Critical
CVE info copied to clipboard

Summary

Windows TCP/IP Remote Code Execution Vulnerability. This is a critical vulnerability affecting the TCP/IP implementation in Windows. It allows for remote code execution without requiring user interaction and can be exploited over the network with low attack complexity. No privileges are needed to exploit this vulnerability.

Impact

This vulnerability has a high impact on confidentiality, integrity, and availability. If exploited, an attacker could execute arbitrary code on the target system, potentially leading to full system compromise. The attacker could install programs, view, change, or delete data, or create new accounts with full user rights. Given its network attack vector and the lack of required user interaction, it could potentially be used for widespread attacks across multiple systems.

Exploitation

Multiple proof-of-concept exploits are available on github.com, github.com, github.com, github.com. Its exploitation has been reported by various sources, including kill-the-newsletter.com.

Patch

A patch is available. Microsoft released an official fix for this vulnerability on August 13, 2024. The security update should be applied as soon as possible to mitigate the risk.

Mitigation

1. Apply the security update provided by Microsoft immediately. 2. Implement network segmentation and firewall rules to limit exposure of vulnerable systems. 3. Monitor for suspicious network activity that could indicate exploitation attempts. 4. Keep all Windows systems up to date with the latest security patches. 5. Consider disabling or restricting access to TCP/IP services on critical systems until patching is complete. 6. Implement the principle of least privilege across your network to minimize potential impact.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92160)

Aug 13, 2024 at 7:53 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Aug 13, 2024 at 5:35 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-38063. See article

Aug 13, 2024 at 5:37 PM / Microsoft Security Advisories - MSRC
CVE Assignment

NVD published the first details for CVE-2024-38063

Aug 13, 2024 at 6:15 PM
Threat Intelligence Report

CVE-2024-38063 is a critical Remote Code Execution vulnerability affecting Windows TCP/IP with a CVSSv3 score of 9.8. It is rated as “Exploitation More Likely” and can be exploited remotely by sending specially crafted IPv6 packets. Microsoft has released patches for all supported versions of Windows, and mitigation suggestions include disabling IPv6 to prevent exploitation. See article

Aug 13, 2024 at 7:15 PM
Trending

This CVE started to trend in security discussions

Aug 27, 2024 at 9:57 PM
Trending

This CVE stopped trending in security discussions

Sep 1, 2024 at 3:35 PM
Exploitation in the Wild

Attacks in the wild have been reported by SANS NewsBites. See article

Sep 8, 2024 at 1:13 PM / SANS NewsBites
CVSS

A CVSS base score of 9.8 has been assigned.

Sep 10, 2024 at 5:36 PM / microsoft
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_10_1607
+null more

Exploits

https://github.com/Sachinart/CVE-2024-38063-POC
+null more

Patches

Microsoft
+null more

Vendor Advisory

CVE-2024-38063 - Security Update Guide - Microsoft - Windows TCP/IP Remote Code Execution Vulnerability
Microsoft Security Response Center / 3mo
There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

References

Did expediting the 2024-08 Quality Updates fail for anyone else?
Microsoft Intune topics / 2mo
Due to the CVE-2024-38063 vulnerability, we attempted to use the Expedited Quality Updates feature to enforce the immediate installation of the 2024-08 security updates. I posted this question yesterday on the Windows Servicing board, but there isn't much activity there.
Microsoft August 2024 Security Updates
NCSC-FI vulnerabilities summary 2024-08-13 / 3mo
Classification: Critical, Solution: Official Fix, Exploit Maturity: High, CVSSv3.1: 9.8, CVEs: CVE-2024-21302, CVE-2024-29995, CVE-2024-37968, CVE-2024-38063, CVE-2024-38084, CVE-2024-38098, CVE-2024-38106, CVE-2024-38107, CVE-2024-38108, CVE-2024-38109, CVE-2024-38114, CVE-2024-38115, CVE-2024-38116, CVE-2024-38117, CVE-2024-38118, CVE-2024-38120, CVE-2024-38121, CVE-2024-38122, CVE-2024-38123, CVE-2024-38125 (+82 other associated CVEs), Summary: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2024-patch-tuesday-fixes-9-zero-days-6-exploited/ Today is Microsoft's August 2024 Patch Tuesday, which includes security updates for 89 flaws, including six actively exploited and three publicly disclosed zero-days. Microsoft is still working on an update for a tenth publicly disclosed zero-day. This Patch Tuesday fixed eight critical vulnerabilities, which were a mixture of elevation of privileges, remote code execution, and information disclosure. The number of bugs in each vulnerability category is listed below:
CVE-2024-38063 - Security Update Guide - Microsoft - Windows TCP/IP Remote Code Execution Vulnerability
Microsoft Security Response Center / 3mo
There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
See 32 more references

News

Overview CVE-2024–38063 is a critical zero-click remote code execution (RCE) vulnerability…
OSINT Team - Medium / 4h
Discovered this flaw resides in the Windows TCP/IP stack and can be exploited by sending specially crafted IPv6 packets to a vulnerable system. Overview CVE-2024–38063 is a critical zero-click remote code execution (RCE) vulnerability affecting all Windows systems with IPv6 enabled.
Exploit for Integer Underflow (Wrap or Wraparound) in Microsoft exploit
Sploitus.com Exploits RSS Feed / 10h
CVE-2024-38063 (2024-08-14) selenagomez25/CVE-2024-38063
PoC-in-GitHub RSS / 1d
Use saved searches to filter your results more quickly You signed in with another tab or window.
Dragkob/CVE-2024-38063
PoC-in-GitHub RSS / 3d
Use saved searches to filter your results more quickly You signed in with another tab or window.
Interesting links of the week^Wpast 6 months (draft, there's more to come :p): Strategy: * https://www.fairinstitute.org/2024-annual-cybersecurity-risk-report - FAIR's annual report on cyber security risk * https://www.tripwire.com/state-of-security/world-cybercrime-index-what-it-and-why-it-important - what is the world cybercrime index and why does it matter? * https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector - more on operational resilience from Bank of England * https://github.com/cisagov/vulnrichment - CISA's vulnrichment project * https://www.crest-approved.org/about-us/discipline-communities-and-focus-groups/ - CREST opens up new ways to give back * https://www.sciencedirect.com/science/article/pii/S0164121224001961 - will ML bring new forms of obsolescence and what might it look like? * https://doublepulsar.com/breaking-down-microsofts-pivot-to-placin…
Local infosec.exchange timeline / 10d
splunk.com/en_us/blog/security /threat-hunting-resources-tasks.html - threat hunting in 2024 * https:// isovalent.com/blog/post/tetrag on-network-observability-dashboards/ - observability dashboards with Tetragon and eBPF
See 467 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 9.8(27010)CWE-191(274)Microsoft(12100)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial