CVE-2021-24094

Q: What is the severity of CVE-2021-24094?

CVE-2021-24094 has a CVSS score of 9.8 (CRITICAL). This is a critical remote code execution vulnerability in the Windows TCP/IP stack that allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges by sending specially crafted packets. It affects Windows 10 and Windows Server systems with specific versions. Exploitation could lead to complete system compromise.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This is a critical remote code execution vulnerability in the Windows TCP/IP stack that allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges by sending specially crafted packets. It affects Windows 10 and Windows Server systems with specific versions. Exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Windows 10
Windows Server 2019
Windows Server 2022

Versions: Windows 10 versions 2004, 20H2, 21H1; Windows Server 2019; Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with IPv6 enabled are vulnerable. The vulnerability exists in the TCP/IP stack implementation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistent backdoors across the network.

🟠

Likely Case

Remote code execution leading to ransomware deployment, botnet recruitment, or credential harvesting from affected systems.

🟢

If Mitigated

Limited impact if systems are patched, network segmentation is in place, and proper firewall rules block malicious traffic.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation via network packets makes internet-facing systems extremely vulnerable.

🏢 Internal Only: HIGH - Internal systems are also vulnerable to lateral movement attacks from compromised devices on the same network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Microsoft confirmed exploitation was detected in the wild. The vulnerability requires no user interaction and can be triggered remotely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: February 2021 security updates (KB4601319 for Windows 10 2004/20H2/21H1, KB4601345 for Server 2019, KB4601318 for Server 2022)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094

Restart Required: Yes

Instructions:

1. Apply February 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable IPv6

windows

Disable IPv6 to prevent exploitation via IPv6 packets

netsh interface ipv6 set state disabled

Block ICMPv6 Router Advertisement Packets

windows

Configure firewall to block malicious ICMPv6 packets

netsh advfirewall firewall add rule name="Block ICMPv6 RA" dir=in action=block protocol=icmpv6:134,any

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Deploy intrusion prevention systems (IPS) with rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and if February 2021 security updates are installed via 'systeminfo' command or Windows Update history

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB4601319, KB4601345, or KB4601318 is installed in Installed Updates or via 'wmic qfe list' command

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing unexpected system crashes (Event ID 41)
Security logs with suspicious network activity

Network Indicators:

Unusual ICMPv6 traffic patterns
Malformed TCP/IP packets targeting vulnerable systems

SIEM Query:

source="windows" event_id=41 OR (source="firewall" AND (protocol="icmpv6" AND dest_port=134))

📊 Metadata

CVE ID: CVE-2021-24094

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: February 25, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable IPv6

Block ICMPv6 Router Advertisement Packets

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export