CVE-2024-38063 - Disabling IPv6 binding = fix - or not?

MVP

Dear community,

in today's LinkedIn Stream and other social media you might have noticed a recent CVE and the recommendation to disable IPv6 in Windows Server and Windows Client.

 

We are talking about this one:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063

Reading the advisory carefully, Microsoft, strictly speaking, does not directly recommend disabling (technically remove binding) of IPv6.

Citing:
"Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation:

  • Systems are not affected if IPv6 is disabled on the target machine."

Maybe I am a bit nitpicking here about old experiences and would greatly appreciate a refreshed Microsoft statement on the disablement (unbinding) of IPv6 and the side-effects in 2024.


What we have learned in the past

- do no disable IPv6 easily.

- yes, you can face issues with IPv6 being on by default and unexpected or misconfiguration. Often caused by DHCPv6, especially in the combination of critical domain controllers, Dual Stack ISPs and SoHo routers messing up your DNS.


What's the fuss about IPv6? I am not actively using it in corporate / at home.

IPv6 is being used in Windows. More specifically non-routable fe80 addresses and loopback ::1 for internal purposes of Windows or other software. One may complain use cases are - unrightfully - not well and transparent documented.


Have a read in the past

Here are some references that Copilot brings up. Trust my memory, I've read more like this.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-adminis...

https://community.spiceworks.com/t/is-it-a-bad-practice-to-disabe-ipv6/781811/9


https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows



My personal conclusion

Hold on, we need patches for this CVE, but we should not disable IPv6 easily.

Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time.
Take notes which system you have had to disable and consider re-enabling once patches have been tested and applied. If you are using IPv6 knowingly, note the NIC configs. They will be lost when using static settings rather DHCPv6.

I am sad to see that NetSec people, undoubtedly experts in their area, jump on the bandwaggon esp. on Social Media to easily disgrace the IPv6 by default enablement of Windows Client and Windows Server, telling you the easier story:
"Disable IPv6 and you are good / if you do not need it."

Let me counter: You might not know you're "needing it" it in the first place.

Whenever you are changing system defaults in Windows, mind that Microsoft and other software vendors may not consider these changes in their testing.
And the Crowdstrike Black Friday showed us clearly how outlier system configs and unwell testing goes along. Not very well.


IPv6 usage and defaults today

One of the most recent example that Microsoft is using IPv6 can be found in the Azure Arc Agent (Connected Machine Agent) changelog:

"Better handling when IPv6 local loopback is disabled"

source: https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-release-notes


How can I disable IPv6, if required?

Many roads led to Rome. Windows + X > Terminal / PowerShell (Admin)

#save current NIC config into a simple text file
Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Out-File $env:temp\original-ipv6-config.txt

#disable IPv6 on all adapters
Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Disable-NetAdapterBinding

 


And how to revert the change?

Windows + X > Terminal / PowerShell (Admin)
#enable IPv6 on all adapters (mind the text file)
Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Enable-NetAdapterBinding


TL:DR

Microsoft is using fe80 addresses and loopback ::1 addresses for internal reasons.
IPv6 is preferrably used over IPv4 when it is bound to a network adapter, including said special non- routable addresses.

Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes of current config.


Please share the word and mind that disabling IPv6 can turn your OS into an outlier system, causing immediate or later issue due lack of testing by Microsoft or other software vendors, assuming the defaults, which is IPv6 being turned on.

0 Replies