CVE-2024-38063 – Disabling IPv6 binding = fix – or not?
Dear community,
in today’s LinkedIn Stream and other social media you might have noticed a recent CVE and the recommendation to disable IPv6 in Windows Server and Windows Client.
We are talking about this one:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063
Reading the advisory carefully, Microsoft, strictly speaking, recommend disabling IPv6.
Citing:
“Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation:
Systems are not affected if IPv6 is disabled on the target machine.”
Maybe I am a bit nitpicking here about old experiences and would greatly appreciate a refreshed Microsoft statement on the disablement (unbinding) of IPv6 and the side-effects in 2024.
What we have learned in the past
– do no disable IPv6 easily.
– yes, you will face issues, even with critical domain controllers with Dual Stack ISPs and SoHo routers messing up your DNS.
What’s the fuss about IPv6. I do not use it in corporate or at home.
IPv6 is being used in Windows. More specifically non-routable fe80 addresses and loopback ::1 for internal purposes of Windows or other software. One may complain use cases are – unrightfully – not well and transparent documented.
Have a read in the past
Here are some references that Copilot brings up. Trust my memory, I’ve read more like this.
https://community.spiceworks.com/t/is-it-a-bad-practice-to-disabe-ipv6/781811/9
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
My personal conclusion
Hold on, we need patches for this CVE, but we should not disable IPv6 easily.
Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time.
Take notes which system you have had to disable and consider re-enabling once patches have been tested and applied.
I am sad to see that NetSec people, undoubtedly experts in their area, jump on the bandwaggon esp. on Social Media to easily disgrace the IPv6 by default enablement of Windows Client and Windows Server, telling the easier story: Disable IPv6 and you are good / if you do not need it.
You might not know you “need” it in the first place.
Whenever you are changing system defaults in Windows, mind that Microsoft and other software vendors may not consider these changes in their testing.
And the Crowdstrike Black Friday showed us clearly how outlier system configs and unwell testing goes along. Not very well.
IPv6 usage and defaults today
One of the most recent example that Microsoft is using IPv6 can be found in the Azure Arc Agent (Connected Machine Agent) changelog:
“Better handling when IPv6 local loopback is disabled”
source: https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-release-notes
How can I disable IPv6, if required?
Many roads led to Rome. Windows + X > Terminal / PowerShell (Admin)
#save current NIC config into a simple text file
Get-NetAdapterBinding -ComponentID “ms_tcpip6” | where Enabled -eq $true | Out-File $env:temporiginal-ipv6-config.txt
#disable IPv6 on all adapters
Get-NetAdapterBinding -ComponentID “ms_tcpip6” | where Enabled -eq $true | Disable-NetAdapterBinding
And how to revert the change?
Windows + X > Terminal / PowerShell (Admin)
#enable IPv6 on all adapters (mind the text file)
Get-NetAdapterBinding -ComponentID “ms_tcpip6” | where Enabled -eq $true | Enable-NetAdapterBinding
TL:DR
Microsoft is using fe80 addresses and loopback ::1 addresses for internal reasons.
IPv6 is preferrably used over IPv4 when it is bound to a network adapter, including said special non- routable addresses.
Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes of current config.
Please share the word and mind the that disabling IPv6 can turn your OS into an outlier system, causing immediate or later issue due lack of testing.
Dear community,
in today’s LinkedIn Stream and other social media you might have noticed a recent CVE and the recommendation to disable IPv6 in Windows Server and Windows Client.
We are talking about this one:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063Reading the advisory carefully, Microsoft, strictly speaking, recommend disabling IPv6.Citing: “Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation:
Systems are not affected if IPv6 is disabled on the target machine.”
Maybe I am a bit nitpicking here about old experiences and would greatly appreciate a refreshed Microsoft statement on the disablement (unbinding) of IPv6 and the side-effects in 2024.What we have learned in the past
– do no disable IPv6 easily.
– yes, you will face issues, even with critical domain controllers with Dual Stack ISPs and SoHo routers messing up your DNS.What’s the fuss about IPv6. I do not use it in corporate or at home.IPv6 is being used in Windows. More specifically non-routable fe80 addresses and loopback ::1 for internal purposes of Windows or other software. One may complain use cases are – unrightfully – not well and transparent documented.
Have a read in the pastHere are some references that Copilot brings up. Trust my memory, I’ve read more like this.
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251
https://community.spiceworks.com/t/is-it-a-bad-practice-to-disabe-ipv6/781811/9
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
My personal conclusion
Hold on, we need patches for this CVE, but we should not disable IPv6 easily.Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time.Take notes which system you have had to disable and consider re-enabling once patches have been tested and applied.I am sad to see that NetSec people, undoubtedly experts in their area, jump on the bandwaggon esp. on Social Media to easily disgrace the IPv6 by default enablement of Windows Client and Windows Server, telling the easier story: Disable IPv6 and you are good / if you do not need it.You might not know you “need” it in the first place.Whenever you are changing system defaults in Windows, mind that Microsoft and other software vendors may not consider these changes in their testing.And the Crowdstrike Black Friday showed us clearly how outlier system configs and unwell testing goes along. Not very well.IPv6 usage and defaults todayOne of the most recent example that Microsoft is using IPv6 can be found in the Azure Arc Agent (Connected Machine Agent) changelog:
“Better handling when IPv6 local loopback is disabled”source: https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-release-notesHow can I disable IPv6, if required?
Many roads led to Rome. Windows + X > Terminal / PowerShell (Admin)#save current NIC config into a simple text fileGet-NetAdapterBinding -ComponentID “ms_tcpip6” | where Enabled -eq $true | Out-File $env:temporiginal-ipv6-config.txt#disable IPv6 on all adaptersGet-NetAdapterBinding -ComponentID “ms_tcpip6” | where Enabled -eq $true | Disable-NetAdapterBinding
And how to revert the change?Windows + X > Terminal / PowerShell (Admin)#enable IPv6 on all adapters (mind the text file)Get-NetAdapterBinding -ComponentID “ms_tcpip6” | where Enabled -eq $true | Enable-NetAdapterBindingTL:DR
Microsoft is using fe80 addresses and loopback ::1 addresses for internal reasons.IPv6 is preferrably used over IPv4 when it is bound to a network adapter, including said special non- routable addresses.Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes of current config.
Please share the word and mind the that disabling IPv6 can turn your OS into an outlier system, causing immediate or later issue due lack of testing. Read More
