CVE-2024-38063 - Or, IPv6 fucks everyone again, and still nobody actually uses it

[gagabobo1997]

Seems like if your ISP doesn't support IPv6 or a router filtering it out would stop it. Feel free to correct me if I'm wrong. Still, you should update your shit.

Yes, if you can block the packets before they reach your windows machine you'll be fine. But just update.

 

[Betonhaus]

I'll let my roommates know, and I'll fire up my sole Windows virtual machine so it can run updates

I got ipv6 disabled on my network tho

 

[Seymour Duncan]

FYI disabling ipv6 doesn't seem to work against this vulnerability, since it seems that the attack takes place before your firewall can block ipv6 packets. seems like a problem with the windows ip/tcp stack implementation. Just update.
View attachment 6311747

https://nitter.poast.org/cytexsmb/status/1824117622180315212

The firewall doesn't help because the Windows IPv6 stack has to accept and analyze the packets before it can do any firewalling, and it's here where the attack sinks its teeth into your system. Disabling the stack means the packets get discarded as junk before the system can read deep enough into the mangled part to get owned and it's official Microsoft advice for temporary mitigation.

 

[Agent Abe Caprine]

Kiwifarms MS-DEFCON rating: 3. There are widespread problems with current patches. It is prudent to patch, but check your results carefully.

 

[${Sandy}]

I went to install the patch and my pc did it automatically a few days ago. Auto-update isn't so bad after all.

 

[UERISIMILITUDO]

This is part of the reason an acquaintance of mine shuns IPv6. I asked him about it years ago, since IPv6 didn't seem too bad to me at the time, and he told me that the very implementations are a constant source of vulnerabilities that simply don't occur with IPv4. I really don't think IPv6 is ever going to matter.

 

[Seymour Duncan]

This is part of the reason an acquaintance of mine shuns IPv6. I asked him about it years ago, since IPv6 didn't seem too bad to me at the time, and he told me that the very implementations are a constant source of vulnerabilities that simply don't occur with IPv4. I really don't think IPv6 is ever going to matter.

It's pretty much turned into a two tiered system where losers with shit ISPs enjoy IPv6 and CGNAT while premium connections get a real public facing IPv4 with an optional IPv6 on the side.

 

[The Cunting Death]

I updated yesterday

 

[indigoisviolet]

Switching it off in Settings didn't change anything from a practical point of view, everything still loads and whatever.

 

[Nuns with guns]

So glad I’m not a cuck and I’m running macOS. Now if you excuse me, I’ll beg Craig Federighi to please add features that have existed on Windows for a decade now and I’ll pay a premium for 8GB extra of RAM.

 

[glow]

The info isn't out yet but I have a theory: Even if your network and ISP doesn't support ipv6 I'm guessing you could use this to escalate privileges if an attacker has some kind of a basic foothold. It's more relevant to sysadmins probably (lmao @ anyone running windows in production) but install your patches kiwibros.

 

[Ghostse]

imagine actually using IPv6. lol.

 

[reptile baht spaniard rid]

It's pretty much turned into a two tiered system where losers with shit ISPs enjoy IPv6 and CGNAT while premium connections get a real public facing IPv4 with an optional IPv6 on the side.

What’s hilarious is some ISPs are rolling out brand new fiber in 2024 that can’t do IPv6 for god knows what reason. What a shit show it’s been.

 

[PunkinMan]

Hackers can send fancy ipv6 packets to your machine which, though an integer underflow as the vulnerability mechanism, runs remote code on your machine. This code can install further malware and backdoors.

explanation for extra retards like me, speedy thing goes in speedy thing comes out.

 

[Lokenstien]

I don't think I would have even have heard about this issue or how to mitigate it if it wasn't for the banner message. Thank you Null!

 

[Seymour Duncan]

The info isn't out yet but I have a theory: Even if your network and ISP doesn't support ipv6 I'm guessing you could use this to escalate privileges if an attacker has some kind of a basic foothold. It's more relevant to sysadmins probably (lmao @ anyone running windows in production) but install your patches kiwibros.

Absolutely, you could just hose packets into the multicast address for free easy godmode if the network isn't locked down properly. Hell, plug into random jacks at offices when nobody is looking and hope you get lucky with an unsecured switchport.

edit because I ain't double posting

What’s hilarious is some ISPs are rolling out brand new fiber in 2024 that can’t do IPv6 for god knows what reason. What a shit show it’s been.

Even better, I've seen a fiber ISP roll out CGNAT alongside a lack of IPv6. You're paying 60 buckaroonies a month for a gigabit hose and you want your own IP address? Tough luck bitch nigga, write to our customer service and hope the pajeets are merciful enough this time of the month to give you one from our tiny ass address block.

 

[Bored & Confused]

What about my XP and 7 machines? Will they be affected?

 

[Seymour Duncan]

What about my XP and 7 machines? Will they be affected?

This is being patched for Server 2008 which is based on Windows Vista, 7 is likely just as affected but it isn't being patched since it's past the paid ESU date and Microsoft hates you for still sticking with 7.

 

[dick brain]

Systems are not affected if IPv6 is disabled on the target machine.

FYI disabling ipv6 doesn't seem to work against this vulnerability,

EDIT: if anyone else can't updoot for whatever reason, disable IPv6 on your networking controller, not on windows firewall.

Any conclusive answer on this yet? Will disabling IPV6 on networking controller prevent exploit?

 

[Peru oso donas]

Is the update only available on windows 11? Or does it work on windows 10 too?