First, let’s get right to CVE-2024-38063, this is a zero-click, wormable remote code execution hole in Windows that requires no authentication and is exploited using IPv6 packets. It’s pretty bad; it’s a 9.8-out-of-10 on the CVSS severity scale.
If someone can craft the correct IPv6 packets to send to your vulnerable Windows machine via the local network or the internet, they can take over that box, install malware or ransomware, steal data, and more. This happens at the TCP/IP stack level in the operating system. There are no exploits for it yet that we know of. Redmond credited someone called Wei at Cyber KunLun’s Kunlun Lab for discovering and reporting it.
“An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution,” the Azure giant said.
That needs to be patched ASAP before someone figures out how to abuse it in the wild and uses it to hijack computers around the world. All we know so far is that it involves an integer underflow, which may be tricky to exploit in practice though Microsoft says it thinks exploitation is likely at some point.
There’s also another 9.8 bug, CVE-2024-38140, a use-after-free in the Windows Reliable [sic] Multicast Transport Driver that can be exploited again to achieve remote code execution on a vulnerable computer without authentication needed.Another of the critical bugs being patched today: CVE-2024-38160, remote code execution hole in Windows Network Virtualization. This bug is a heap buffer overflow. This appears to be a useful way to attack other customers in a public cloud setting using Redmond’s technologies. It allows someone to move from their virtual machine’s confines to the host hypervisor server, and then get into other people’s guests.
“This vulnerability could lead to the attacker gaining the ability to interact with other tenant’s [sic] applications and content,” says Microsoft.
“An attacker could exploit the vulnerability by taking advantage of the unchecked return value in the wnv.sys component of Windows Server 2016. By manipulating the content of the Memory Descriptor List (MDL), the attacker could cause unauthorized memory writes or even free a valid block currently in use, leading to a critical guest-to-host escape.”
Network Virtualization has another critical flaw, CVE-2024-38159, that works pretty much the same way as above.
And there’s also CVE-2024-38166 in Microsoft Dynamics 365 (a cross-site scripting hole), CVE-2024-38206 in Microsoft Copilot Studio that can cause the AI suite to “leak sensitive information over a network,” and CVE-2024-38109 in the Azure Health Bot that could be used to elevate privileges.
Regarding the bot, Microsoft says: “This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. This purpose of this CVE is to provide further transparency.”