Microsoft has today encouraged customers to install security updates for three Windows TCP / IP vulnerabilities that are considered critical and high in severity as soon as possible.
This warning was given due to increased exploitation risk and potential denial-of-service (DoS) attacks that may soon target these errors.
The three TCP / IP vulnerabilities affect computers running Windows client and server versions starting with Windows 7 and later.
They can all be exploited remotely by unauthorized attackers and tracked as CVE-2021
Two of them expose unpatched systems to Remote Code Execution (RCE) attacks, while the third enables attackers to trigger a DoS state by taking down the targeted device.
“The DoS exploits for these CVEs will allow a remote attacker to cause a stop error. Customers can receive a blue screen on any Windows system that is directly exposed to the Internet with minimal network traffic,” said the Microsoft Security Response Center team.
“The two RCE vulnerabilities are complex, making it difficult to create functional exploitations, so it is unlikely in the short term.
“We believe that attackers will be able to create DoS exploits much faster and expect all three issues to be exploited with a DoS attack shortly after release. We recommend that customers move quickly to use Windows security updates this month. “
Windows TCP / IP vulnerabilities:
– Internal discovery at Microsoft
– Not exploited in nature
Utilizing exploitation for RCE is very difficult
– Temporary solution is denied Source Routing, which is not allowed by default
CVE-2021-24074 CVE-2021-24094 CVE-2021-24086 https://t.co/WJLhzqwRVp
– Kevin Beaumont (@GossiTheDog) February 9, 2021
Solutions are also available
While Microsoft says it’s important to apply current security updates to all Windows devices as soon as possible, the company also provides solutions for those who cannot deploy them immediately.
Redmond offers separate Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6) solutions to these vulnerabilities.
The IPv4 solution requires hardening against the use of Source Routing, usually not allowed in standard Windows mode.
Detailed instructions available in the CVE-2021-24074 Guide can be used either through Group Policy or by running a NETSH command that does not require a restart of the updated machine.
IPv6 solutions require blocking of IPv6 fragments which unfortunately can adversely affect services with IPv6 dependencies. Information on how to use them is available in the CVE-2021-24094 and CVE-2021-24086 tips.
“IPv4 Source Routing requests and IPv6 snippets can be blocked on an edge device, such as a load balancer or a firewall,” Microsoft also noted.
“This option can be used to reduce high-risk exposure systems and then have the systems patched to standard cadence.”