March Vuln of the Month: CVE-2021-24094
Share with Your Network
It’s Exploit Wednesday, and that means we’re publishing the second entry in our new Vuln of the Month blog series. If you missed last month’s debut, this series spotlights a named CVE that may not already be on your radar screen, but probably should be.
This month’s vuln: CVE-2021-24094
Kenna Security’s research team is closely tracking CVE-2021-24094, a Remote Code Execution vulnerability in the default TCP/IP stack on all supported Microsoft operating systems. This vuln is an up-and-comer: No proof of concept exploit code is known to exist yet, and we haven’t seen any indications of it actively being exploited. But there are plenty of reasons this one is worth watching.
Our research shows that CVE-2021-24094 meets many of the criteria we look for to be widely exploited. We’ve listed these criteria by their significance in assessing the risk that it will be weaponized:
- Access complexity: Low
- Potential attack surface: > 1 billion
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: Complete
- Exploit code published: No
- Active exploits observed: No
As the above graph illustrates, only 3.23% of observed vulnerabilities pose a larger risk than CVE-2021-24094.
Why CVE-2021-24094 matters
With a broad attack surface–it’s a Windows vuln affecting all IPv6 deployments, after all–CVE-2021-24094 is one of a trio of TCP/IP stack vulnerabilities that Microsoft closed last month. (The others are CVE-2021-24086 and CVE-2021-24074.)
One reason we chose this vuln is, quite simply, there is a strong chance that bad actors will release functional exploits targeting it. In fact, in Microsoft’s own exploitability assessment, it characterizes CVE-2021-24094 as “exploitation more likely,” a ranking that may not sound ominous on its face, but in fact is just one notch below “exploit detected.”
CVE-2021-24094 currently has a Kenna Risk Score of 59, which places it in the top 96th percentile of all known vulns in terms of relative risk. There is much to warrant this rating. An exploit of this vulnerability requires no special user authorization, and a successful attack could shut down a network even after the attack itself is over, with low levels of attack complexity indicating that an attacker can look forward to “repeated success.” No interaction with users is required to execute an attack, and a remote attack can be achieved at the protocol level one or two hops away from the target network via multiple routers.
It’s also worth noting that while Microsoft released information on CVE-2021-24094 on Feb. 9, the NVD page associated with this vuln was still pending on March 1 That means anyone relying on NVD for vulnerability information until March 2 would have been met with a large, unhelpful blind spot.
Bottom line
The high risk score associated with this vuln suggests that this vulnerability should be patched on every supported version of Windows.
Mitigation status
Microsoft published security updates to address CVE-2021-24094 on Patch Tuesday, Feb. 9, 2021. Microsoft’s advisory site also lists specific mitigations and workarounds.
Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our real-time vulnerability intelligence powered by machine learning.
