CVE-2024-38063 - Or, IPv6 fucks everyone again, and still nobody actually uses it

[Flaming Dumpster]

You are just blinded by new thing good.

Just because you have an Internet routable IP address does not mean you don't have a firewall on your gateway. It's not the equivalent of a dial-up connection on your PC where nothing stands between your ISP and the machine itself.

The default inbound policy for anything worth a damn on a WAN interface is to block all incoming traffic on IPv4 and IPv6 where there is no matching rule or connection. If you make a policy akin to "Allow all from anywhere" then you're an enormous dunce who gets what they deserve.

Anyone who has had to deal with dysfunctional NAT reflection would appreciate kicking that shit to the curb. The only security NAT provides on top of a firewall is that you can't map inbound traffic to a destination without a rule in place. This is a technological limitation, not a feature to protect users and completely unnecessary with a functioning firewall.

IPv4 resources continue to get more scarce as hoarders of giant unused blocks refuse to give them up and billions of Pajeets come online ready to redeem your Google Play gift cards. The only direction it goes if people continue with IPv4 is more CGNAT and that shit is downright cancer. CGNAT is cattle tier Internet.

 

[SCV]

Just because you have an Internet routable IP address does not mean you don't have a firewall on your gateway. It's not the equivalent of a dial-up connection on your PC where nothing stands between your ISP and the machine itself.

The default inbound policy for anything worth a damn on a WAN interface is to block all incoming traffic on IPv4 and IPv6 where there is no matching rule or connection. If you make a policy akin to "Allow all from anywhere" then you're an enormous dunce who gets what they deserve.

Anyone who has had to deal with dysfunctional NAT reflection would appreciate kicking that shit to the curb. The only security NAT provides on top of a firewall is that you can't map inbound traffic to a destination without a rule in place. This is a technological limitation, not a feature to protect users and completely unnecessary with a functioning firewall.

IPv4 resources continue to get more scarce as hoarders of giant unused blocks refuse to give them up and billions of Pajeets come online ready to redeem your Google Play gift cards. The only direction it goes if people continue with IPv4 is more CGNAT and that shit is downright cancer. CGNAT is cattle tier Internet.

Normal people don't consider the policy on their WAN interface. Normal people don't have a firewall. Normal people get their router/modem combo, plug it in, and get SLAAC auto-configured. You are right about IPv4 resources becoming scarce but "destroy the best (accidental) security every normal person has and 100x every botnet" is not a viable solution.

 

[dissociating]

So are we good if we just disable ipv6 on our network cards? I'm too sketched out to run windows updates. Worried they'll brick my aging POS tower.

In theory wouldn't disabling IPv6 in your modem work too? Thats my best next guess.

 

[pikachudidnothingwrong]

A no click/no input threat, gets through even a blanket ip6 block from the firewall, and an overflow threat.. yikes.

I have IPv6 turned off in the adapter and it's been like that for years. What i've been unable to find out online from articles and forums is whether that (adapter) is enough or it has to be disabled from the reg completely. Because i've seen some conflicting things. Plus this seems a very base level vulnerability since even windows/system based firewalls won't protect your system. The only thing safe is not allowing ip6 service access to your system.

And before anyone asks, because MS is hell bent on forcing everyone off of old OSs ASAP, so no hope of a patch for anything but 10 and 11. So it's not even an option.

In theory wouldn't disabling IPv6 in your modem work too? Thats my best next guess.

It should.. Since it cuts off IP6 service before getting to your system. Assuming this doesn't count shit like IP6 tunneling.. If it's an option and you know what you are doing.

From Microsoft:


Also from Microsoft:



Turning off IPv6 also increases boot time because fuck you

It doesn't break anything really. I've seen 4-5 seconds quoted.. which makes sense in an era where retards use browsers based on how fast they load/start to load in tenths of seconds etc etc.. regardless of usability, lack of features/control and other bullshit like spying on you.

The firewall doesn't help because the Windows IPv6 stack has to accept and analyze the packets before it can do any firewalling, and it's here where the attack sinks its teeth into your system. Disabling the stack means the packets get discarded as junk before the system can read deep enough into the mangled part to get owned and it's official Microsoft advice for temporary mitigation.

There is a question though.. MS doesn't specify what they mean by disable.. There are more than one definitions. In addition to doing it from the adapter level and firewall (which is pointless here) there is also a way to disable it completely through the reg. When they say things like 'totally disabling it' they often talk about the latter way.

 

[PhoBingas]

In theory wouldn't disabling IPv6 in your modem work too? Thats my best next guess.

I don't even think my modem can do ipv6. It's a shitty one from my ISP but my fiber optic line goes directly into it, and I haven't found routers that can both take an SFP ONT fiber hookup AND work with my internet plan.

 

[Catastrophe-TM]

I’m skeptical that simply disabling ipv6 is enough to be safe from the exploit. The publisher of the exploit has not described the whole vulnerability, in an attempt to delay hackers.

There is a question though.. MS doesn't specify what they mean by disable.. There are more than one definitions. In addition to doing it from the adapter level and firewall (which is pointless here) there is also a way to disable it completely through the reg. When they say things like 'totally disabling it' they often talk about the latter way.

That's what I'm wondering myself, you got people going back and forth over disabling it, but no one's clear on which one needs to be disabled or if it even works or if the computer will fuck up if you touch that. With the discovery of this and the other exploit, it feels like a strange ploy to get anyone remaining off the older OS right now and hop onto the future train that is 11.

 

[Kosher Dill]

IPX/SPX bros keep winning.

 

[Gog & Magog]

how do i disable ipv6
im scared

 

[AnOminous]

That's what I'm wondering myself, you got people going back and forth over disabling it, but no one's clear on which one needs to be disabled or if it even works or if the computer will fuck up if you touch that. With the discovery of this and the other exploit, it feels like a strange ploy to get anyone remaining off the older OS right now and hop onto the future train that is 11.

I'd still turn it off. Even if this update fixes the immediate problem, IPv6 itself is still a problem. Turns out I already had it off on the network device (not sure if I need to do a registry edit) and my VPN for whatever reason had it on so had an IPv6 address (that shit got turned off), and my cable modem/router is so dumb it doesn't even have an option to turn it off.

I've never experienced the slightest problem from not having IPv6 and don't expect it even will be a problem until years to come. Hope they've fixed it before then.

 

[pikachudidnothingwrong]

how do i disable ipv6
im scared

If you can't patch (and even if you can, i don't trust MS, and don't need IP6) For now, disable it at the network/ethernet/wireless adapter level. Until we know more. The firewall option is pointless here since it goes around that, and the registry option has some outstanding questions in addition to being something much more complex unless you know exactly what you are doing. You can also probably turn it off from the modem level.. maybe.

@Gog & Magog

As for how (the adapter):

Open the network menu from the icon in bottom right of screen > right click on the network you are connected to and click "status" > In the popup click on the "Properties" button > You'll get another popup with the name of your network adapter in a top line/box and a secondary box with a list of things in it > Look for the entry "Internet Protocol Version 6 (TCP/IPv6)" and uncheck the box in front of it > click OK and then close everything out and you should be set for now. At least till we know more.

If you connect to multiple networks over the day, you'll have to set it for each one.

That's what I'm wondering myself, you got people going back and forth over disabling it, but no one's clear on which one needs to be disabled or if it even works or if the computer will fuck up if you touch that. With the discovery of this and the other exploit, it feels like a strange ploy to get anyone remaining off the older OS right now and hop onto the future train that is 11.

Disable it from the adapter level for now and wait till we get more info. Yup, even in the very best case, they are using these types of things to kill off older OS's sooner. Underhanded and dick move either way. Should be illegal.

I'd still turn it off. Even if this update fixes the immediate problem, IPv6 itself is still a problem. Turns out I already had it off on the network device (not sure if I need to do a registry edit) and my VPN for whatever reason had it on so had an IPv6 address (that shit got turned off), and my cable modem/router is so dumb it doesn't even have an option to turn it off.

I've never experienced the slightest problem from not having IPv6 and don't expect it even will be a problem until years to come. Hope they've fixed it before then.

Yeah, i've had it disabled from the adapter for years now. Since my IP offered IPv6 service in fact. (actually more like a decade+) I haven't ran into any issues at all. OC MS might be talking about the registry option in their warning not to disable so I don't know. As i said above, we have to wait for more details of what actually needs to be disabled. Whether adapter level is enough.

 

[crowabunga]

...But because everyone learned from WannaCry/EternalBlue, everything, even mission-critical 24/7 systems, were patched or isolated on IPv4-only networks.

 

[Slav Power]

¯\_(ツ)_/¯

 

[30+GameOvers]

I finally bit the bullet and updated from 1511 to 22H2. Boy, I already feel like it was a mistake: Bootup time increased from about 10 seconds to whopping 3+minutes, plenty of bloat and telemetry I had to spend over an hour cleansing(And there is still likely more), a forced Internet Explorer Edge download I had to get rid of, and for some reason the default Photos app doesn't exist or doesn't show up and I had to download a third party program just to view my images. Ditto for keeping the Explorer settings for every folder just like I want them to be(show details, miniatures or large icons, things like that). Everything just worked on my own build and I have a feeling I am only getting started with the shit I will have to put up with as a price for finally getting everything updated to this decade. This is why you never update short of a catastrophic security problem or unless you have major bug fixing that needs to happen.
The one thing that better work is this newest fix for the exploit or I am going to go ballistic. Disabled IPv6 in settings just in case regardless.

 

[Gog & Magog]

I finally bit the bullet and updated from 1511 to 22H2. Boy, I already feel like it was a mistake: Bootup time increased from about 10 seconds to whopping 3+minutes

That's not normal. Mine is on the sign in screen within 15 seconds.

 

[teriyakiburns]

My shitty ISP still doesn't provide IPV6, so it's all probably moot for me anyway.

 

[George Lucas]

God damn, people still disabling IPv6 as a workaround or ‘just in case’.

1. There is no evidence that disabling IPv6 will protect you. Download the fucking patch.

2. Disabling IPv6 in Windows fucks around with a bunch of components and impacts performance. Yes, it doesn’t make any sense, but that’s Microsoft for you. If you’re gonna run Windows, you should leave IPv6 on.

3. Windows 7 is ancient history at this point. If you want to use Windows 7, that’s fine. I still use many old versions of Windows. But don’t connect to the internet. Just don’t do it. Microsoft is not coming back to Windows 7. It’s not going to happen. Don’t be a retard. Upgrade or buy a cheap laptop or dual boot Linux for your web browsing if you have to. Just don’t connect out-of-support operating systems to the internet. There is no excuse for that shit.

 

[AnOminous]

¯\_(ツ)_/¯

Can anyone even name any "only IPv6 sites?" I've had it disabled since forever and no issues. Those sites must be as gay as a gay bathhouse because a gay bathhouse is somewhere I wouldn't even want to be. So what's the minus?

1. There is no evidence that disabling IPv6 will protect you. Download the fucking patch.

Bitch everyone here already did that. No reason to have IPv6 at this point in time, though.

 

[${Sandy}]

I went to install the patch and my pc did it automatically a few days ago. Auto-update isn't so bad after all.

You know, I got a lot of negative reddit karma negative stickers for this comment but I genuinely want to know what exactly made everyone give me those stickers. Nobody has replied to me explaining why its lunacy or they disagree and as a guy who is a self taught programmer just starting his career who admittedly has alot of holes in his knowledge, I genuinely wish someone replied to me to call me a retard and give a solid explanation why my post was stupid because I need to know this kinda shit. I never went to college, I never will, and I avoid using mainstream shit for input unless I really need to, because half the time "just googling it" is unreliable and playing ball with the establishment is gayer than sucking dick for cock.

 

[ZMOT]

You know, I got a lot of negative reddit karma negative stickers for this comment but I genuinely want to know what exactly made everyone give me those stickers. Nobody has replied to me explaining why its lunacy or they disagree and as a guy who is a self taught programmer just starting his career who admittedly has alot of holes in his knowledge, I genuinely wish someone replied to me to call me a retard and give a solid explanation why my post was stupid because I need to know this kinda shit. I never went to college, I never will, and I avoid using mainstream shit for input unless I really need to, because half the time "just googling it" is unreliable and playing ball with the establishment is gayer than sucking dick for cock.

I assume because ms auto-updating sucks dick, there's a chance it will fuck with your windows since MS QA is either non-existent or poojeet-tier, a good chance it will fuck with your work when forcefully shutting down to reboot (which wintards will claim is your own fault for doing any important work on your home pc), depending how MS feels like shoving a new windows version down your throat (conveniently resetting some of your settings, like telemetry and other shit). some linuxtards having the opinion a computer should never do anything itself unless you tell it to (not entirely wrong, but automation is a thing, otoh it means trusting MS lol).
all in all there's nothing wrong if it works for you and you're ok with it.

TLDR: don't worry about it, stickers are just shitposting half the time.

 

[Null]

IPV6 Shills On Suicide Watch

Literally. We need it so bad but nobody wants to support it correctly

And before anyone asks, because MS is hell bent on forcing everyone off of old OSs ASAP, so no hope of a patch for anything but 10 and 11. So it's not even an option.

Did you even read the page? They pushed updates for everything down to 2008

Can anyone even name any "only IPv6 sites?"

Us, at various times.