> Found by Kunlun Lab's XiaoWei and tracked as CVE-2024-38063, this security bug is caused by an Integer Underflow weakness, which attackers could exploit to trigger buffer overflows that can be used to execute arbitrary code on vulnerable Windows 10, Windows 11, and Windows Server systems.
> "Considering its harm, I will not disclose more details in the short term," the security researcher tweeted, adding that blocking IPv6 on the local Windows firewall won't block exploits because the vulnerability is triggered prior to it being processed by the firewall.
> As Microsoft explained in its Tuesday advisory, unauthenticated attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets.
In this thread: luddites congratulating themselves that their routine of setting up a new PC by disabling IPv6, turning off JavaScript, and setting the terminal to green FixedSys has finally paid off.
This will justifiably be used to disable IPv6 in many places, which will sadly set back IPv6 adoption just that little bit more.
I'm IPv6-only on my personal infra, and it's pretty nice. End to end reachability between machines and containers, and reduced need for middle boxes like reverse proxies.
> As a mitigation measure for those who can't immediately install this week's Windows security updates, Microsoft recommends disabling IPv6 to remove the attack surface.
and
> "That means it's wormable. You can disable IPv6 to prevent this exploit, but IPv6 is enabled by default on just about everything."
Microsoft product quality déjà vu c. 1990's. If a vendor is going to build and maintain a wide-used operating system, at least they should take the trouble to thoroughly test it, use safer and consistent SWE practices, and use formal verification processes to prove artifacts created fulfill a desired behavior model without deleterious or undesirable side-effects. But no, there is no accountability and certain vendors continue to do the same thing and expect a different result. Customers maybe left to find alternatives rather than continue the stupidity and/or insanity, of which there aren't meaningfully better alternatives, and so running systems becomes a Hobson's choice between use and nothing.
It would make it harder to develop, would prevent most errors like this from ever reaching production, but also would lower the performance baseline because Rust wouldn't allow to write code with some clever tricks like self modifying code.
All somebody has to do is grep "::" some logs somewhere for millions of hosts then | uniq to remove dupliaces > to some file and then there's their master host list.
for all we know, bad actors could be positioning themselves right now. But for hosts that need ipv6 and have no ipv4 uplinks it's not like they can just disable their internet. They can, but they won't.
Cisco just laid off a major amount of their workforce too so, so should be interesting to watch.
Disable IPv6 on All Network Adapters
Open PowerShell as Administrator:
Right-click on the Start menu or press Windows Key + X.
Select Windows PowerShell (Admin) or Windows Terminal (Admin) if using a newer version of Windows.
Disable IPv6 on All Network Adapters:Execute the following command in PowerShell:
Explanation:
Get-NetAdapter: Retrieves all network adapters.
ForEach-Object { ... }: Iterates through each network adapter.
Disable-NetAdapterBinding: Disables the IPv6 binding for the specified network adapter.
-ComponentID ms_tcpip6: Specifies the IPv6 protocol to disable.
Disable IPv6 Globally
If you want to disable IPv6 globally (not just on network adapters), you can use the Windows Registry to achieve this. Here’s how:
Open PowerShell as Administrator:
Same steps as above.
Disable IPv6 Globally:Execute the following commands to modify the Windows Registry:
# Disable IPv6 on all network interfaces Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' -Name 'DisabledComponents' -Value 0xFF
# Apply the changes by restarting the network interface or rebooting the system Restart-NetAdapter -Name (Get-NetAdapter | Select-Object -First 1).Name
Explanation:
Set-ItemProperty: Modifies a registry key value. In this case, it sets the DisabledComponents value to 0xFF, which disables all IPv6 components.
Restart-NetAdapter: Restarts the network adapter to apply changes. If this doesn’t work, a system reboot may be required.
Verify IPv6 Status
To check if IPv6 has been disabled, you can run:
Get-NetAdapterBinding -ComponentID ms_tcpip6
This command will list network adapters and show whether the IPv6 binding is enabled or disabled. Re-enable IPv6
Administrative Privileges: Disabling network features typically requires administrative rights.
Network Impact: Disabling IPv6 might affect certain network functionalities or applications that rely on it, so be sure that it’s necessary for your use case.
Reboot: Some changes might require a reboot to take full effect.
By following these steps, you can disable IPv6 on your Windows system using PowerShell.
If you mean something like HTTP server logs, then clients should be rotating their addresses regularly, and router firewalls should be blocking any incoming unestablished connections, so you can't just look at a log to find vulnerable computers to talk to.
You'd be much more likely to find a vulnerable computer that you can actually talk to by looking at AAAA records for websites. Or if you were a malicious website, wait for people to talk to you, and then send evil responses.
For the sake of this issue here, does it matter which is used i wonder, because I have been unable to find any source willing to spell it out. (that is, is simply turning it off on the adapter enough)
I would recommend just disabling ipv6 completely. There is zero need for every machine on the internet to be able to know your computer exists. 15 years ago I had a different opinion, I thought the technology was superior and really well thought out. Today, when Silicon Valley wholesale selling your personal life away for advertisers, I recommend doing the exact opposite of whatever they tell you to do. In this case, those pushing ipv6 the hardest are the Googles/Facebooks/etc.
Every computer on the Internet is not able to know my computer exists. My router allows established (i.e. originally outgoing) connections/flows and drops anything else without even an ICMP reply, same as ipv4. If I want to run a service though, then I just add a rule to allow traffic on that port to my computer's stable address.
ipv6 and global addressability allows p2p services to work, which is necessary to get away from centralized service providers like google/facebook/etc.
> If I want to run a service though, then I just add a rule to allow traffic on that port to my computer's stable address.
Problem: in most consumer firewalls, and even in OpenWrt, there are simply no words to express this. I don't know what my IPv6 prefix would be next time my modem reconnects, therefore, I don't know which IPv6 address my computer would then get. However, firewall configuration tools are built under the assumption that static IPs are the only existing ones. I just cannot write "the delegated prefix from the WAN plus :d63d:7eff:fed9:0a39".
I agree that is an obvious missing functionality. It's never affected me because anywhere I've lived I've always ended up with stable prefixes/addresses (both ipv4 and v6) for years, but it's obviously something consumer firewalls need. Fortunately that's a much easier problem to fix (replace or update the one device) than trying to get everyone to use ipv6 in the first place.
Can you share a screenshot of the relevant firewall rule that allows access to one port on one IPv6 address behind the router and doesn't break when the ISP assigns a different delegated prefix?
Better late than never. Thanks! And indeed, this looks like a well-thought-out (with an explicit field for the IPv6 interface ID, as opposed to the full address) approach to IPv6 forwarding and firewalling.
