CVE-2021-24074: Windows TCP/IP Remote Code Execution Vulnerability Alert

On February 9, 2021, Microsoft issued a risk notice for Windows TCP/IP remote code execution vulnerabilities. The vulnerability number is CVE-2021-24074. The vulnerability CVSS:3.0 score is 9.8 / 8.5.

There is a remote code execution vulnerability in the Windows TCP/IP protocol. The attacker can directly execute arbitrary code on the remote target host through carefully constructed IP data packets.

Vulnerability Detail

There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.

Affected version

  • Microsoft Windows 7/8/10/Server 2008/ Server 2012/Server 2016/Server 2019/Server 20H2

Solution

In this regard, we recommend that users upgrade Windows to the latest version in time.
Temporary repair suggestions

1. Set sourceroutingbehavior to “drop”

Use the following command:

netsh int ipv4 set global sourceroutingbehavior=drop

For more information about ipv4 registry settings see Additional Registry Settings

Impact of workaround

IPv4 Source routing is considered insecure and is blocked by default in Windows; however, a system will process the request and return an ICMP message denying the request. The workaround will cause the system to drop these requests altogether without any processing.

How to undo the workaround

To restore to default setting “Dontforward”:

netsh int ipv4 set global sourceroutingbehavior=dontforward

2. Configure firewall or load balancers to disallow source routing requests