CVE-2024-38063, CVSS 9.8, import free 2008/R2 + 2012R2 into WSUS

Using the network properties GUI to disable IPv6 is not supported

This registry value doesn’t affect the state of the following check box. Even if the registry key is set to disable IPv6, the check box in the Networking tab for each interface can be selected. This is an expected behavior.

ONLY for 2008R2 where the 07-2024 want update

Yes there is a link but the download links are EMPTY there for the KB 😉

https://support.microsoft.com/de-de/topic/fehlermeldung-wenn-sie-ein-msu-updatepaket-auf-einem-computer-installieren-auf-dem-windows-ausgef%C3%BChrt-wird-windows-modulinstallation-muss-aktualisiert-werden-bevor-sie-dieses-paket-installieren-k%C3%B6nnen-fe8d5770-df2e-f020-b47c-6605b0de15ba

So lets try all Update backwards maybe one brought it and we missed in WSUS or the ESU?

We tried all below but could not get it running > All where already installed.

2008R2 > None of these resolved it

KB5028264: Servicing stack update for Windows Server 2008 R2 SP1: July 11, 2023 – Microsoft Support

https://support.microsoft.com/en-us/topic/kb5028264-servicing-stack-update-for-windows-server-2008-r2-sp1-july-11-2023-e845ef0e-f4cc-4338-ac40-426f12dbb894

https://catalog.update.microsoft.com/Search.aspx?q=KB5028264

The KB5028264 seemed to have some parts in it we could install this. (KB5028264: Servicing stack update for Windows Server 2008 R2 SP1: July 11, 2023)

Also here would be the corrrect latest way for ESU Extended Support customers:

So the order for an existing ESU integrated 2008R2 would be:

The March 12, 2019 servicing stack update (SSU) (KB4490628).

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4490628

The latest SHA-2 update (KB4474419) released September 10, 2019.

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4474419

Extended Security Updates (ESU) Licensing Preparation Package

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4538483

Update for the Extended Security Updates (ESU) Licensing Preparation Package

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4575903

And then finally the 08/2024 Update.

https://www.catalog.update.microsoft.com/Search.aspx?q=5041838

IF you want those PRE REQ Packages the 2008R2 patch in WSUS:

.\ImportUpdateToWSUS.ps1 -Updateid 1d4f0343-a41a-4782-8aed-18a620431171

.\ImportUpdateToWSUS.ps1 -Updateid ac54099f-27ab-4e36-befd-a29c67ddeb6f

.\ImportUpdateToWSUS.ps1 -Updateid 44551c76-c430-4655-b791-665fea339ea8

.\ImportUpdateToWSUS.ps1 -Updateid 86381c48-1c0b-4479-8459-b1a8740bc63c

Servicing stack update for Windows Server 2008 R2 SP1: July 11, 2023

.\ImportUpdateToWSUS.ps1 -Updateid 298a1725-f89c-4759-a722-e6befc97c060

2008R2 08-2024

.\ImportUpdateToWSUS.ps1 -Updateid f34e1747-fedb-4962-bdae-dcbfbeda9c5a

IPV6 disable or not;-) If then absolute carefully and the correct way.

Configure IPv6 for advanced users – Windows Server | Microsoft Learn

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows

Problem when you turn off IPV6:

Example 1:

On Domain Controllers, you might run into where LDAP over UDP 389 will stop working. See How to use Portqry to troubleshoot Active Directory connectivity issues

Example 2:

Exchange Server 2010, you might run into problems where Exchange will stop working. See Arguments against disabling IPv6 and Disabling IPv6 And Exchange

Example 3:

Failover Clusters See What is a Microsoft Failover Cluster Virtual Adapter anyway? and Failover Clustering and IPv6 in Windows Server 2012 R2.

Built-In Dependence on IPv6

• Windows Components and Services- : Many Windows services and components, including newer features and some critical services, depend on IPv6. This includes features like DirectAccess, Remote Assistance, and certain Active Directory (AD) operations. Disabling IPv6 can lead to service disruptions or degraded performance.
  

• Loopback Address- : Windows uses the IPv6 loopback address (::1) by default for local communications. Disabling IPv6 can interfere with applications or services that rely on this loopback address.
  

Compatibility and Future-Proofing

• Future Protocol- : IPv6 is the future of networking. As the world gradually transitions from IPv4 due to its limitations (like address exhaustion), IPv6 is becoming increasingly important. By disabling IPv6, you’re essentially future-proofing your systems, making them ready for newer network infrastructures.
  

• Dual Stack Requirements- : Modern Windows Servers are designed to operate in dual-stack environments, where both IPv4 and IPv6 are enabled. This dual-stack configuration ensures compatibility and smooth communication across different network types.
  

Active Directory and Group Policy

• Active Directory Operations- : Active Directory (AD) services, which are crucial in domain-joined environments, are optimized to work with IPv6. Some AD operations, like the Domain Controller Locator, can leverage IPv6 for better performance and reliability. Disabling IPv6 can lead to unexpected issues in AD replication and authentication.
  
• Group Policy Processing- : Group Policy relies on network communication with domain controllers. If IPv6 is disabled, you might experience delays or failures in Group Policy processing, especially in networks where IPv6 is predominant.
  

Networking Issues and Supportability

• Network Connectivity- : Disabling IPv6 can lead to network connectivity issues, especially in environments where IPv6 is already in use or where ISPs or other services depend on IPv6 for communication. Some applications might also perform poorly or fail entirely if they require IPv6.
  
• Microsoft Support- : Microsoft officially recommends against disabling IPv6 and may not provide full support for issues arising from its deactivation. This can be particularly problematic in enterprise environments where timely support is critical.
  

Incorrect Disabling Can Cause Problems

• Misconfiguration Risks- : Simply unchecking IPv6 in the network adapter settings is not the correct way to disable IPv6 and can lead to misconfigurations. For example, some Windows services might still attempt to use IPv6, leading to unpredictable behavior.
  
• Registry Modifications- : Disabling IPv6 through the registry or other methods can lead to a state where the system believes IPv6 is still partially enabled, causing further complications. Microsoft’s documentation provides specific guidance on how to disable IPv6 properly if it’s absolutely necessary, which underscores the complexity and risks involved.
  

Performance Considerations

• Network Performance- : IPv6 can offer performance improvements in certain scenarios, such as faster routing and improved handling of large address spaces. Disabling it might not yield any performance benefits and could even degrade performance in IPv6-enabled networks.
  

While there might be specific scenarios where disabling IPv6 could be justified (such as certain legacy applications or devices that do not support it), the general recommendation is to keep IPv6 enabled. Disabling it can lead to significant issues in a modern domain-joined Windows Server environment, including Active Directory problems, connectivity issues, and a lack of support from Microsoft.

If there is a need to address specific issues related to IPv6, it is better to troubleshoot and configure IPv6 properly rather than disabling it entirely.

How to disable IPV6 the corect way on Windows Server 2016, 2019, and 2022 so it protects from: CVE-2024-38063

Method 1 would not stop the CVE-2024-38063

Method 1

Disabling IPv6 on Windows Server 2016, 2019, and 2022

Disable IPv6 Completely

1. Open the Registry Editor (regedit).

2. Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

3. Create a DWORD (32-bit) value named DisabledComponents.

4. Set the value to 0xFF (Decimal 255) to disable IPv6 entirely.

5. Restart the server for the changes to take effect.

Summary of Key Registry Values

– Disable IPv6: 0xFF (Decimal 255)

Prefer IPv4 over IPv6

1. Open the Registry Editor (regedit).

2. Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters.

3. Create a DWORD (32-bit) value named DisabledComponents.

4. Set the value to 0x20 (Decimal 32) to prefer IPv4 over IPv6.

5. Restart the server for the changes to take effect.

Method 1 would not stop the CVE-2024-38063

This recommandation comes from the KNOW problem with disabling IPV6 full. But in the case with the leak this is a problem because it does not protect you.

Important Considerations

Do Not Disable IPv6: Disabling IPv6 can cause issues with Windows components. It’s generally recommended to configure your system to prefer IPv4 over IPv6 instead of disabling IPv6 entirely.

BUT: THIS would not stop the CVE-2024-38063

Disable IPV6 via REGISTRY

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows

The IPv6 functionality can be configured by modifying the following registry key:

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
Name: DisabledComponents
Type: REG_DWORD
Min Value: 0x00 (default value)
Max Value: 0xFF (IPv6 disabled)

Expand table

Cmd.exe > Reg.exe One liner (Also below values to do it right)

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters” /v DisabledComponents /t REG_DWORD /d <value> /f

Replace the value part as needed

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows

How to calculate the registry value

Windows use bitmasks to check the DisabledComponents values and determine whether a component should be disabled.

To learn which component each bit (from low to high) controls, refer to the following table.

Expand table

For each bit, 0 means false and 1 means true. Refer to the following table for an example.

Expand table

And what about prefer IPV4 over IPV6 which some have active on Windows Servers?

Ever used? Remember where? How does this come INTO the mix with IPV6 disable dont right or wrong?????

– `0x01`: Disable IPv6 on all interfaces except the loopback interface.

– `0xFF`: Disable IPv6 entirely.

Method 1: Prefer IPv4 over IPv6 (See below THIS would not stop the CVE-2024-38063)