this post was submitted on 16 Aug 2024
690 points (98.9% liked)

Technology

70529 readers
3300 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
690
All Windows users should immediately update their computers. An exploit rated 9.8/10 (CVE-2024-38063) compromises all devices running Windows with an IPv6 address. (msrc.microsoft.com)
submitted 9 months ago* (last edited 9 months ago) by [email protected] to c/[email protected]
203 comments fedilink hide all child comments
 

archive

If you have the August 13, 2024—KB5041580 update. You're good.

(page 3) 50 comments
sorted by: hot top controversial new old
[–] [email protected] 18 points 9 months ago (2 children)

This would presumably mainly be an issue for computers open to the internet. So not so much for home PCs, unless the router's firewall is opened up.

[–] [email protected] 16 points 9 months ago (4 children)

I've not read the CVE but assuming it works on any IPv6 address including the privacy extensions addresses, it's a problem. Depending on what most routers do in terms of IPv6 firewalling.

My opinion is, IPv6 firewalls should, by default, offer similar levels of security to NAT. That is, no unsolicited incoming connections but allow outgoing ones freely.

In my experience, it's a bit hit-and-miss whether they do or not.

Now, if this works on privacy extension addresses, it's a problem because the IPv6 address could be harvested from outgoing connections and then attacked. If not, then scanning the IPv6 space is extremely hard and by default addresses are assigned randomly inside the /64 most people have assigned by their ISP means that the address space just within your own LAN is huge to scan.

If it doesn't work on privacy extension IPs, I would say the risk is very low, since the main IPv6 address is generally not exposed and would be very hard to find by chance.

Here's the big caveat, though. If these packets can be crafted as part of a response to an active outgoing TCP circuit/session. Then all bets are off. Because a popular web server could be hacked, adjusted to insert these packets on existing circuits/sessions in the normal response from the web server. Meaning, this could be exploited simply by visiting a website.

load more comments (4 replies)
load more comments (1 replies)
[–] [email protected] 86 points 9 months ago (6 children)

"Compromises all devices running .... an IPv6 address."

Oh so no one is effected. (other then network nerds, and they are not real)

[–] [email protected] 43 points 9 months ago

they certainly don't run windows.

[–] [email protected] 51 points 9 months ago* (last edited 9 months ago) (1 children)

IPV6 is already rolled out in parts of the world. My provider has a Dual Stack lite architecture, the home connection is over IPV6, IPV4 is normally being tunneled via V6 through a provider grade NAT.

As I AM a network nerd, I pay for a dedicated IPV4 address every month, so I can reach my stuff from outside from old IPV4 only networks.

So when I plug in my router, connect a windows machine and just google stuff then all this traffic will be IPV6 without me configuring anything.

It's so great fun having the attack surface being doubled by dual stack setups.

[–] [email protected] 8 points 9 months ago (1 children)

Why not instead use the money to pay for a domain name and use a router with a dynamic DNS daemon?

[–] [email protected] 19 points 9 months ago (1 children)

Because behind the carrier grade NAT I don't get a routable IPV4 at all, so no inbound connections.

With the IPV4 I use I do use dyndns now, so I can resolve it from outside.

load more comments (1 replies)
[–] [email protected] 22 points 9 months ago* (last edited 9 months ago) (1 children)

IPv6 is enabled by default on windows.

EDIT Here's how to disable it. If you can't on your modem/router. Open the network menu from the icon in bottom right of screen > right click on the network you are connected to and click "status" > In the popup click on the "Properties" button > You'll get another popup with the name of your network adapter in a top line/box and a secondary box with a list of things in it > Look for the entry "Internet Protocol Version 6 (TCP/IPv6)" and uncheck the box in front of it > click OK.

[–] [email protected] 4 points 9 months ago (2 children)

I've just queried it my IP is V4 so presumably I'm fine.

[–] [email protected] 17 points 9 months ago (1 children)

you can have both addresses at the same time - this site shows both if you have them: https://whatismyipaddress.com/

[–] [email protected] 9 points 9 months ago

Or, just type ping -6 google.com from a command prompt. It won't work if you don't have ipv6.

[–] [email protected] 7 points 9 months ago

Depending on your ISP and network setup, you could very well have both v4 and v6 addresses.

load more comments (3 replies)
[–] [email protected] 38 points 9 months ago (3 children)

Yay, new Xbox jailbreak method, can't wait for new modded warfare videos about it

load more comments (2 replies)
load more comments
view more: ‹ prev next ›