Microsoft Remote Code Execution for Windows TCP/IP IPv6
Over the past three years, the second Tuesday of each month has turned into a hectic period of planning and remediation, driven by a 25% average annual growth rate in CVEs. Just last Tuesday, Microsoft revealed a critical TCP/IP remote code execution (RCE) vulnerability in the IPv6 stack, which has a CVSS score of 9.8 due to its criticality and ease of exploitation. For a more in-depth look, we recommend these resources:
- Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
- Microsoft CVE: Windows TCP/IP Remote Code Execution Vulnerability
This CVE has been added to the list of critical patches that need to be patched before a Windows machine can access the network. While you are running through your emergency patch cycles – Forescout has put together a Forescout Network Security policy to help identify machines that may miss patch windows or are too critical to patch immediately.
You can download the policy through our Knowledge Base Article
- Main Rule – Windows Domain Managed (current) or SC Managed: Manageable Hosts within the organizations patch management program
- Patched – Not vulnerable: This uses the Windows hotfix property with a list of KBs provided by Microsoft for each OS version. This rule can also be augmented with your VA scanner integration through our Forescout Extend capabilities.
- Mitigated – IPv6 is disabled for the system: This checks a registry key that determines if IPv6 is enabled for the OS entirely. Microsoft does not recommend disabling IPv6 as other subsystems may not function, but specific assets may not have other mitigation strategies, and it’s important to track.
- Mitigated – IPv6 disabled on all interfaces: This checks the alternate option of disabling IPv6 for all available network interfaces with a simple Powershell command.
- Vulnerable – IPv6 enabled on any interface and NOT patched: This uses the same PowerShell command to identify if any interfaces have IPv6 enabled. There are two disabled mitigation actions available. One is to force a Windows update. The other is to apply the registry key mitigation to disable IPv6 for the system. Customers should use this with caution and test for any negative impact for their environment. It will also require a system restart (or network services) to take effect.