CVE-2021-24074: Windows TCP/IP Remote Code Execution Vulnerability Alert
There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.
- Microsoft Windows 7/8/10/Server 2008/ Server 2012/Server 2016/Server 2019/Server 20H2
1. Set sourceroutingbehavior to “drop”
Use the following command:
netsh int ipv4 set global sourceroutingbehavior=drop
For more information about ipv4 registry settings see Additional Registry Settings
Impact of workaround
IPv4 Source routing is considered insecure and is blocked by default in Windows; however, a system will process the request and return an ICMP message denying the request. The workaround will cause the system to drop these requests altogether without any processing.
How to undo the workaround
To restore to default setting “Dontforward”:
netsh int ipv4 set global sourceroutingbehavior=dontforward
2. Configure firewall or load balancers to disallow source routing requests