Microsoft has fixed two critical remote-code execution flaws in the TCP/IP implementation in Windows that could be exploited by network-based attackers to either gain control of a target system or cause a denial-of-service. MIcrosoft said the flaws will be difficult to exploit for code execution, but DoS attacks could be on the horizon soon.
In addition to those two flaws, Microsoft also warned about a related vulnerability in the TCP/IP stack that’s less serious but also could be used in a DoS attack. The fixes for these flaws were included in the company’s monthly Patch Tuesday release yesterday. Microsoft is urging customers to apply the updates for these three vulnerabilities as soon as possible because of the high risk of attacks.
“The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month,” Microsoft said.
“The DoS exploits for these CVEs would allow a remote attacker to cause a stop error. Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic.”
The three vulnerabilities (CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086) affect both the IPv4 and IPv6 TCP/IP implementations in Windows and they are present in all versions of Windows. Microsoft has developed some workarounds for the flaws for organizations that may not be able to take servers or other Windows systems offline right away for updates. The workarounds are different for the two TCP/IP implementations, and the IPv4 version is less complicated.
“The IPv4 workaround simply requires further hardening against the use of Source Routing, which is disallowed in Windows default state. This workaround is documented in CVE-2021-24074 and can be applied through Group Policy or by running a NETSH command that does not require a reboot,” Microsoft said.
For devices using IPv6, the workaround involves blocking IPv6 fragments, an action that could cause problems for affected devices.
“These vulnerabilities were discovered by Microsoft as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party,” Microsoft said.
“It is important that affected systems are patched as quickly as possible because of the elevated risk associated with these vulnerabilities.”
Among the other vulnerabilities that Microsoft fixed this month is a local privilege escalation flaw that the company said has been actively exploited by attackers. That vulnerability (CVE-2021-1732) affects Windows 10 and Windows Server.