Frag out: four remote attack bugs fixed in Microsoft’s February Patch Tuesday

Microsoft’s second monthly security update release of 2021 addresses 56 newly-identified vulnerabilities in the Windows operating system and other products, nine of them designated as critical. But the relatively small number of vulnerabilities doesn’t lessen the importance of the February Patch Tuesday fixes—especially since, once again, one of them is actively being exploited.

That bug, CVE-2021-1732, is a privilege escalation vulnerability in Windows’ Win32k.sys. Even though it’s actively being exploited, 1732 is not the most urgent of February’s fixes—even though it would be ample enough reason on its own to patch. Four network-based vulnerabilities are potentially much more dangerous, and rated by Microsoft as being more likely to be exploited.  Some of them could potentially be exploited in an attack across the Internet.

Bad Packets

Three separate bugs in Windows’ TCP/IP networking stack are addressed in the latest patch release. The first, CVE-2021-24074, is a remote code execution bug in Windows systems’ handling of inbound IPv4 packets. An attacker could exploit this bug by crafting traffic using two IPv4 protocol features:

•  IP fragmentation: the option to “break” a packet into multiple packet fragments. When all fragments are received, they are reassembled back into a single packet on the endpoint.
• Loose Source and Record Route (LSRR):  LSRR is an archaic IPv4 header option that implements “Source Routing”, a way for packets to request routers to choose and record the path through which the network will route them.

For the bug to be exploited, both of these features of IPv4 have to be used at the same time—something that would (almost) never happen accidentally. Crafted packets using both features could cause the Windows TCP/IP driver (tcpip.sys) to confuse the internal data structures of the individual packet fragments and those of the reassembled packet. This can cause the driver to read memory outside the boundaries of an internal buffer (an “out-of-bounds read”  condition); with a crafted set of packets, this could lead to an out-of-bounds write condition that could corrupt memory in a way that leads to remote code execution.

This is particularly dangerous, since the vulnerable code is running in the context of a Windows Kernel driver—if successfully exploited, the attacker could execute code with kernel-level privileges. The good news is that remote exploitation of this bug may be thwarted by default by many firewalls and routers. The LSRR option has long been considered insecure because it could be leveraged for address spoofing, and packets containing it are often filtered out of Internet traffic. The bug could still be delivered over less complex local area networks, however, so patching the vulnerability should still be given a high priority.

The two other TCP/IP vulnerabilities revealed in February’s release are related to fragmented packets as well—but in these cases, they’re IPv6 packets.

The more severe of the two is CVE-2021-24094, a bug that is triggered when Windows’ tcpip.sys performs a “recursive reassembly” on fragmented packets. Under certain circumstances, the reassembly process can cause  a dangling pointer condition — with the driver leaving open a pointer to memory space that has been de-allocated that can be exploited to remotely execute code.  

The second IPv6 bug, CVE-2021-24086, also occurs during fragmented packet reassembly. In this case, however, the vulnerability is triggered by a large volume of  extension headers in the fragmented packets.  If the bug is successfully triggered, a NULL pointer dereference occurs, crashing the kernel and the Windows system with it, yielding a Blue Screen of Death.

Microsoft did not indicate whether the two bugs can be triggered over the Internet or if they are limited to being exploited on LAN networks only.

It’s always DNS

Another network-based vulnerability fixed in February’s security patches, CVE-2021-24078, is a bug in Windows DNS Server that could result in remote code execution. This one is definitely exploitable from the Internet, but requires an especially coordinated level of evil to execute. The attacker would have to cause a query to the DNS server for a domain it hasn’t seen before, resulting in a query to a root DNS server. The attacker would then have to spoof the response before it could be returned by the actual root DNS server.

Because the attacker needs to be able to spoof the root server’s response before the real response comes back, the greatest threat of attacks exploiting this bug will come from a threat inside the local network, where packet spoofing is more feasible. But because DNS is based on UDP, the attack could potentially be executed over the Internet.

Other bugs of note