Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an important Denial of Service (DoS) vulnerability (CVE-2021-24086).
Two of them expose unpatched systems to remote code execution (RCE) attacks, while the third one enables attackers to trigger a DoS state, taking down the targeted device.
The DoS exploits for these CVEs would allow a remote attacker to cause a stop error. Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic
IPv4 and IPv6 Workarounds Available
The Internet Protocol version 4 (IPv4) workaround requires hardening against the use of Source Routing, normally disallowed in the Windows default state.
This workaround is documented in CVE-2021-24074 and can be applied through Group Policy or by running a NETSH command that does not require a reboot.
The Internet Protocol version 6 (IPv6) workarounds are documented in CVE-2021-24094 and CVE-2021-24086, and require blocking IPv6 fragments, which may negatively impact services with dependencies on IPv6.
IPv4 Source Routing requests and IPv6 fragments can be blocked on an edge device, such as a load balancer or a firewall. This option can be used to mitigate systems with high-risk exposure and then allow the systems to be patched following their standard cadence.