CVE-2021-24086

Меры по смягчению последствий

This vulnerability affects all Windows IPv6 deployments, but Windows systems that are ONLY configured with IPv6 link-local addresses are not reachable by remote attackers. IPv6 link-local addresses are not routable on the internet, and an attack would need to originate from the same logical or adjacent network segment.

Обходное решение

1. Set global reassemblylimit to 0

The following command disables packet reassembly. Any out-of-order packets are dropped. Valid scenarios should not exceed more than 50 out-of-order fragments. We recommend testing prior to updating production systems.

Netsh int ipv6 set global reassemblylimit=0

Further netsh guidance can be found at netsh.

Impact of workaround

There is a potential for packet loss when discarding out-of-order packets.

How to undo the workaround

To restore to default setting "267748640":

Netsh int ipv6 set global reassemblylimit=267748640

2. Configure an Edge device, such as a firewall or load balancer, to disallow IPv6 fragmentation. Host based firewalls do not provide sufficient protection.

FAQ

Where can I find more information about this vulnerability?

Please see MSRC Blog regarding the TCP/IP vulnerabilities discussed in CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094.