MS SRV Disable IPv6 the correct way CVE-2024-38063

Recommendation 16.08.2024 for CVE-2024-38063 and IPV6

There is a patch from 2008-2022+ Servers so use it See following LINK on how to import the older OS patches into WSUS

CVE-2024-38063, CVSS 9.8, import free 2008/R2 + 2012R2 into WSUS – www.butsch.ch

https://www.butsch.ch/post/cve-2024-38063-cvss-9-8-how-to-import-the-free-2008-2008r2-patch-into-wsus/
If you can’t patch then as least options CAREFULLY consider disabling IPV6 the correct way and fully (Not on Cluster, Exchange, Domain Controllers etc.) We have all the info below on how to do it correct (NOT in the GUI and just uncheck IPv6 box). Prefer IPv4 over IPv6 settings in Registry WILL NOT protect you
You can use our ipv6checker interactive PowerShell tool to disable (See end of blog for download links)

CVE-2024-38063

Only IPv6 enabled endpoint are affected
Do not disable IPv6 on Exchange, Cluster, DAG, Domain Controller, Direct Access (MS VPN) etc.
IF you disable IPv6 do it the right way and NOT via GUI and unselect IPV6 checkbox ONLY (WRONG) See at end of this POST on how to do it correct and also NOT only change to Prefer IPv4 over IPv6 (Which would not stop CVE-2024-38063)

CVE-2024-38063 – Security Update Guide – Microsoft – Windows TCP/IP Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063

NVD – CVE-2024-38063 (nist.gov)

https://nvd.nist.gov/vuln/detail/CVE-2024-38063

IPV6 disable or not;-) If then absolute carefully and the correct way.

Configure IPv6 for advanced users – Windows Server | Microsoft Learn

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows

Problem when you turn off IPV6:

Example 1:

On Domain Controllers, you might run into where LDAP over UDP 389 will stop working. See How to use Portqry to troubleshoot Active Directory connectivity issues

Example 2:

Exchange Server 2010, you might run into problems where Exchange will stop working. See Arguments against disabling IPv6 and Disabling IPv6 And Exchange

Example 3:

Failover Clusters See What is a Microsoft Failover Cluster Virtual Adapter anyway? and Failover Clustering and IPv6 in Windows Server 2012 R2.

Just a sample from Exchange

IPv6EnabledCheck – Microsoft – CSS-Exchange

https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/IPv6EnabledCheck/

How to disable IPV6 the correct way on Windows Server 2016, 2019, and 2022 so it protects from: CVE-2024-38063

Method 1 would not stop the CVE-2024-38063

Disabling IPv6 on Windows Server 2016, 2019, and 2022

Disable IPv6 Completely

1. Open the Registry Editor (regedit).

2. Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

3. Create a DWORD (32-bit) value named DisabledComponents.

4. Set the value to 0xFF (Decimal 255) to disable IPv6 entirely.

5. Restart the server for the changes to take effect.

Summary of Key Registry Values

– Disable IPv6: 0xFF (Decimal 255)

Prefer IPv4 over IPv6

1. Open the Registry Editor (regedit).

2. Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters.

3. Create a DWORD (32-bit) value named DisabledComponents.

4. Set the value to 0x20 (Decimal 32) to prefer IPv4 over IPv6.

5. Restart the server for the changes to take effect.

Method 1 would not stop the CVE-2024-38063

This recommandation comes from the KNOW problem with disabling IPV6 full. But in the case with the leak this is a problem because it does not protect you.

Important Considerations

Do Not Disable IPv6: Disabling IPv6 can cause issues with Windows components. It’s generally recommended to configure your system to prefer IPv4 over IPv6 instead of disabling IPv6 entirely.

BUT: THIS would not stop the CVE-2024-38063

Disable IPV6 via REGISTRY

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows

The IPv6 functionality can be configured by modifying the following registry key:

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
Name: DisabledComponents
Type: REG_DWORD
Min Value: 0x00 (default value)
Max Value: 0xFF (IPv6 disabled)

Expand table

IPv6 Functionality	Registry value and comments
Prefer IPv4 over IPv6	Decimal 32 Hexadecimal 0x20 Binary xx1x xxxx Recommended instead of disabling IPv6.
Disable IPv6	Decimal 255 Hexadecimal 0xFF Binary 1111 1111 See startup delay occurs after you disable IPv6 in Windows if you encounter startup delay after disabling IPv6 in Windows 7 SP1 or Windows Server 2008 R2 SP1. Additionally, system startup will be delayed for five seconds if IPv6 is disabled by incorrectly, setting the DisabledComponents registry setting to a value of 0xffffffff. The correct value should be 0xff. For more information, see Internet Protocol Version 6 (IPv6) Overview. The DisabledComponents registry value doesn’t affect the state of the check box. Even if the DisabledComponents registry key is set to disable IPv6, the check box in the Networking tab for each interface can be checked. This is an expected behavior. You cannot completely disable IPv6 as IPv6 is used internally on the system for many TCPIP tasks. For example, you will still be able to run ping ::1 after configuring this setting.
Disable IPv6 on all nontunnel interfaces	Decimal 16 Hexadecimal 0x10 Binary xxx1 xxxx
Disable IPv6 on all tunnel interfaces	Decimal 1 Hexadecimal 0x01 Binary xxxx xxx1
Disable IPv6 on all nontunnel interfaces (except the loopback) and on IPv6 tunnel interface	Decimal 17 Hexadecimal 0x11 Binary xxx1 xxx1
Prefer IPv6 over IPv4	Binary xx0x xxxx
Re-enable IPv6 on all nontunnel interfaces	Binary xxx0 xxxx
Re-enable IPv6 on all tunnel interfaces	Binary xxx xxx0
Re-enable IPv6 on nontunnel interfaces and on IPv6 tunnel interfaces	Binary xxx0 xxx0

Cmd.exe > Reg.exe One liner (Also below values to do it right)

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters” /v DisabledComponents /t REG_DWORD /d <value> /f

Replace the value part as needed

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows

How to calculate the registry value

Windows use bitmasks to check the DisabledComponents values and determine whether a component should be disabled.

To learn which component each bit (from low to high) controls, refer to the following table.

Expand table

Name	Setting
Tunnel	Disable tunnel interfaces
Tunnel6to4	Disable 6to4 interfaces
TunnelIsatap	Disable Isatap interfaces
Tunnel Teredo	Disable Teredo interfaces
Native	Disable native interfaces (also PPP)
PreferIpv4	Prefer IPv4 in default prefix policy
TunnelCp	Disable CP interfaces
TunnelIpTls	Disable IP-TLS interfaces

For each bit, 0 means false and 1 means true. Refer to the following table for an example.

Expand table

Setting	Prefer IPv4 over IPv6 in prefix policies	Disable IPv6 on all nontunnel interfaces	Disable IPv6 on all tunnel interfaces	Disable IPv6 on nontunnel interfaces (except the loopback) and on IPv6 tunnel interface
Disable tunnel interfaces	0	0	1	1
Disable 6to4 interfaces	0	0	0	0
Disable Isatap interfaces	0	0	0	0
Disable Teredo interfaces	0	0	0	0
Disable native interfaces (also PPP)	0	1	0	1
Prefer IPv4 in default prefix policy.	1	0	0	0
Disable CP interfaces	0	0	0	0
Disable IP-TLS interfaces	0	0	0	0
Binary	0010 0000	0001 0000	0000 0001	0001 0001
Hexadecimal	0x20	0x10	0x01	0x11

Carefully because:

Built-In Dependence on IPv6

Windows Components and Services- : Many Windows services and components, including newer features and some critical services, depend on IPv6. This includes features like DirectAccess, Remote Assistance, and certain Active Directory (AD) operations. Disabling IPv6 can lead to service disruptions or degraded performance.

Loopback Address- : Windows uses the IPv6 loopback address (::1) by default for local communications. Disabling IPv6 can interfere with applications or services that rely on this loopback address.

Compatibility and Future-Proofing

Future Protocol- : IPv6 is the future of networking. As the world gradually transitions from IPv4 due to its limitations (like address exhaustion), IPv6 is becoming increasingly important. By disabling IPv6, you’re essentially future-proofing your systems, making them ready for newer network infrastructures.

Dual Stack Requirements- : Modern Windows Servers are designed to operate in dual-stack environments, where both IPv4 and IPv6 are enabled. This dual-stack configuration ensures compatibility and smooth communication across different network types.

Active Directory and Group Policy

Active Directory Operations- : Active Directory (AD) services, which are crucial in domain-joined environments, are optimized to work with IPv6. Some AD operations, like the Domain Controller Locator, can leverage IPv6 for better performance and reliability. Disabling IPv6 can lead to unexpected issues in AD replication and authentication.
Group Policy Processing- : Group Policy relies on network communication with domain controllers. If IPv6 is disabled, you might experience delays or failures in Group Policy processing, especially in networks where IPv6 is predominant.

Networking Issues and Supportability

Network Connectivity- : Disabling IPv6 can lead to network connectivity issues, especially in environments where IPv6 is already in use or where ISPs or other services depend on IPv6 for communication. Some applications might also perform poorly or fail entirely if they require IPv6.
Microsoft Support- : Microsoft officially recommends against disabling IPv6 and may not provide full support for issues arising from its deactivation. This can be particularly problematic in enterprise environments where timely support is critical.

Incorrect Disabling Can Cause Problems

Misconfiguration Risks- : Simply unchecking IPv6 in the network adapter settings is not the correct way to disable IPv6 and can lead to misconfigurations. For example, some Windows services might still attempt to use IPv6, leading to unpredictable behavior.
Registry Modifications- : Disabling IPv6 through the registry or other methods can lead to a state where the system believes IPv6 is still partially enabled, causing further complications. Microsoft’s documentation provides specific guidance on how to disable IPv6 properly if it’s absolutely necessary, which underscores the complexity and risks involved.

Performance Considerations

Network Performance- : IPv6 can offer performance improvements in certain scenarios, such as faster routing and improved handling of large address spaces. Disabling it might not yield any performance benefits and could even degrade performance in IPv6-enabled networks.

While there might be specific scenarios where disabling IPv6 could be justified (such as certain legacy applications or devices that do not support it), the general recommendation is to keep IPv6 enabled. Disabling it can lead to significant issues in a modern domain-joined Windows Server environment, including Active Directory problems, connectivity issues, and a lack of support from Microsoft.

If there is a need to address specific issues related to IPv6, it is better to troubleshoot and configure IPv6 properly rather than disabling it entirely.

DOWNLOAD

Use our interactive little tool called ipv6checker, 16.08.2024

https://www.butsch.ch/wp-content/uploads/tools/ipv6checker/ipv6chcker.ps1

MD5 2B9322D9EC85B77BC05C20661BCC182D

SHA256 3475C8A38204A097196BF06E4BF9E99A3E3774EA952AF8C5089EE5C411DA1C0D

https://www.butsch.ch/wp-content/uploads/tools/ipv6checker/ipv6cheecker.7z

MD5 79178F2F739A5A3D5B89BC4E6C72BBD4

698098C6AC1E6745C4A2F382347A33F883BAFD5547959065A18FAA1C3BFADECC

PS Verify MD5 or SHA256 on your client:

get-FileHash .\ipv6checker.7z -Algorithm md5

get-FileHash .\ipv6checker.7z -Algorithm sha256

get-FileHash .\ipv6checker.ps1 -Algorithm md5

get-FileHash .\ipv6checker.ps1 -Algorithm sha256

https://www.virustotal.com/gui/file-analysis/MmI5MzIyZDllYzg1Yjc3YmMwNWMyMDY2MWJjYzE4MmQ6MTcyMzgwMTQzMw==

# ipv6checker.ps1


# DISABLE IPV6 on network Interface interactive | BLOG www.butsch.ch


# Please read https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows


# Please read https://www.butsch.ch/post/ms-srv-disable-ipv6-the-correct-way-cve-2024-38063/


# -------------------------------------------------------------


# V1.0, 16.08.2024, Mike, First release with interactice menu


Import-Module NetAdapter


$networkAdapters = Get-NetAdapter


Start-Transcript -Path (Join-Path -Path $PWD.Path -ChildPath "ipv6checker_PowerShellTranscript.log") -Append


function checkipv6status {


Param (


[Parameter(Mandatory=$true,Position=0)]


[string] $AdapterName


)


try {


$ipv6Enabled = Get-NetAdapterBinding -Name $AdapterName | Where-Object { $_.ComponentID -eq "ms_tcpip6" }


if ($ipv6Enabled -ne $null -and $ipv6Enabled.Enabled) {


return $true


} else {


return $false


}


} catch {


Write-Host "* Failed to check IPv6 status for adapter '$AdapterName'. Error: $_" -ForegroundColor Red


Add-Content -Path "error.log" -Value "$(Get-Date): Failed to check IPv6 status for adapter '$AdapterName'. Error: $_"


return $false


}


}


function displayipv6adapters {


Write-Host "`n+--------------------------------------------------------------------------------------------------------" -ForegroundColor Cyan


Write-Host "| Adapter Name | Description | IPv6 Status " -ForegroundColor Cyan


Write-Host "+--------------------------------------------------------------------------------------------------------" -ForegroundColor Cyan


foreach ($adapter in $networkAdapters) {


$interfaceAlias = $adapter.Name


$description = $adapter.InterfaceDescription


try {


# Get network adapter status


$netAdapter = Get-NetAdapter -Name $interfaceAlias


# Check if IPv6 is enabled


$ipv6Enabled = checkipv6status -AdapterName $interfaceAlias


$ipv6Status = if ($ipv6Enabled) { " < Enabled [X]" } else { " < Disabled [ ]" }


# Check interface operational status


$interfaceStatus = $netAdapter.Status


# Output the result


Write-Host ("| " + $interfaceAlias + ", " + $description + ", " + $ipv6Status + ", Interface is: " + $interfaceStatus) -ForegroundColor Cyan


} catch {


Write-Host "* Failed to display IPv6 status for adapter '$interfaceAlias'. Error: $_" -ForegroundColor Red


Add-Content -Path "error.log" -Value "$(Get-Date): Failed to display IPv6 status for adapter '$interfaceAlias'. Error: $_"


}


}


Write-Host "+--------------------------------------------------------------------------------------------------------" -ForegroundColor Cyan


Write-Host ""


}


function disableipv6onadapter {


Param (


[Parameter(Mandatory=$true,Position=0)]


[string] $AdapterName


)


try {


$ipv6Enabled = checkipv6status -AdapterName $AdapterName


if ($ipv6Enabled) {


Write-Host "* Disabling IPv6 on adapter '$AdapterName'. Are you sure? (Y/N):" -ForegroundColor Green


$confirmation = Read-Host


if ($confirmation -eq 'Y') {


Disable-NetAdapterBinding -Name $AdapterName -ComponentID "ms_tcpip6"


Write-Host "* IPv6 has been disabled on adapter '$AdapterName'." -ForegroundColor Green


} else {


Write-Host "* Action cancelled for adapter '$AdapterName'." -ForegroundColor Yellow


}


} else {


Write-Host "* IPv6 is already disabled on adapter '$AdapterName'." -ForegroundColor Red


}


} catch {


Write-Host "* Failed to disable IPv6 on adapter '$AdapterName'. Error: $_" -ForegroundColor Red


Add-Content -Path "error.log" -Value "$(Get-Date): Failed to disable IPv6 on adapter '$AdapterName'. Error: $_"


}


}


function enableipv6onadapter {


Param (


[Parameter(Mandatory=$true,Position=0)]


[string] $AdapterName


)


try {


Enable-NetAdapterBinding -Name $AdapterName -ComponentID "ms_tcpip6"


Write-Host "* IPv6 has been enabled on adapter '$AdapterName'." -ForegroundColor Green


} catch {


Write-Host "* Failed to enable IPv6 on adapter '$AdapterName'. Error: $_" -ForegroundColor Red


Add-Content -Path "error.log" -Value "$(Get-Date): Failed to enable IPv6 on adapter '$AdapterName'. Error: $_"


}


}


function disableipv6onalladapters {


foreach ($adapter in $networkAdapters) {


$interfaceAlias = $adapter.Name


try {


$ipv6Enabled = checkipv6status -AdapterName $interfaceAlias


if ($ipv6Enabled) {


Write-Host "* Disabling IPv6 on adapter '$interfaceAlias'. Are you sure? (Y/N):" -ForegroundColor Green


$confirmation = Read-Host


if ($confirmation -eq 'Y') {


Disable-NetAdapterBinding -Name $interfaceAlias -ComponentID "ms_tcpip6"


Write-Host "* IPv6 has been disabled on adapter '$interfaceAlias'." -ForegroundColor Green


} else {


Write-Host "* Action cancelled for adapter '$interfaceAlias'." -ForegroundColor Yellow


}


} else {


Write-Host "* IPv6 is already disabled on adapter '$interfaceAlias'." -ForegroundColor Red


}


} catch {


Write-Host "* Failed to disable IPv6 on adapter '$interfaceAlias'. Error: $_" -ForegroundColor Red


Add-Content -Path "error.log" -Value "$(Get-Date): Failed to disable IPv6 on adapter '$interfaceAlias'. Error: $_"


}


}


}


function showmenu {


Write-Host "`n+--------------------------------------------------------------------------------------------------------" -ForegroundColor Cyan


Write-Host "| ipv6checker, www.butsch.ch, use at own risk " -ForegroundColor Cyan


Write-Host "| V1.0, 16.08.2024, Mike " -ForegroundColor Cyan


Write-Host "| Please read:                                              " -ForegroundColor Cyan


Write-Host "| https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows " -ForegroundColor Cyan


Write-Host "+--------------------------------------------------------------------------------------------------------" -ForegroundColor Cyan


Write-Host "| 1. Display all adapters with IPv6 status " -ForegroundColor Cyan


Write-Host "| 2. Disable IPv6 on a specific adapter " -ForegroundColor Cyan


Write-Host "| 3. Enable IPv6 on a specific adapter " -ForegroundColor Cyan


Write-Host "| 4. Disable IPv6 on all adapters " -ForegroundColor Cyan


Write-Host "| 5. Exit " -ForegroundColor Cyan


Write-Host "| 6. Open Website https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows " -ForegroundColor Cyan


Write-Host "+--------------------------------------------------------------------------------------------------------" -ForegroundColor Cyan


}


# Main script loop


do {


showmenu


$choice = Read-Host "Enter your choice (1-5)"


switch ($choice) {


1 {


displayipv6adapters


}


2 {


Write-Host "`n+--------------------------------------------------------------------------------------------------------" -ForegroundColor Cyan


Write-Host "Available network adapters:" -ForegroundColor Cyan


Write-Host "+--------------------------------------------------------------------------------------------------------" -ForegroundColor Cyan


$i = 1


foreach ($adapter in $networkAdapters) {


# Correctly check IPv6 status for each adapter


$ipv6Enabled = checkipv6status -AdapterName $adapter.Name


$ipv6Status = if ($ipv6Enabled) { " < Enabled [X]" } else { " < Disabled [ ]" }


Write-Host "$i. $($adapter.Name) - $($adapter.InterfaceDescription) - IPv6 Status: $ipv6Status - Interface is: $($adapter.Status)"


$i++


}


$adapterChoice = Read-Host "Enter the number of the adapter to disable IPv6 on"


$selectedAdapter = $networkAdapters[$adapterChoice - 1].Name


Write-Host "* Selected adapter: $selectedAdapter"


disableipv6onadapter -AdapterName $selectedAdapter


}


3 {


Write-Host "`n+--------------------------------------------------------------------------------------------------------" -ForegroundColor Cyan


Write-Host "Available network adapters:" -ForegroundColor Cyan


Write-Host "+--------------------------------------------------------------------------------------------------------" -ForegroundColor Cyan


$i = 1


foreach ($adapter in $networkAdapters) {


# Correctly check IPv6 status for each adapter


$ipv6Enabled = checkipv6status -AdapterName $adapter.Name


$ipv6Status = if ($ipv6Enabled) { " < Enabled [X]" } else { " < Disabled [ ]" }


Write-Host "$i. $($adapter.Name) - $($adapter.InterfaceDescription) - IPv6 Status: $ipv6Status - Interface is: $($adapter.Status)"


$i++


}


$adapterChoice = Read-Host "Enter the number of the adapter to enable IPv6 on"


$selectedAdapter = $networkAdapters[$adapterChoice - 1].Name


Write-Host "* Selected adapter: $selectedAdapter"


enableipv6onadapter -AdapterName $selectedAdapter


}


4 {


disableipv6onalladapters


}


5 {


Write-Host "* Exiting..." -ForegroundColor Green


exit


}


    6


    {


    Write-Host "Opening the website for IPv6 configuration..." -ForegroundColor Cyan


    Start-Process "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows"


    }


default {


Write-Host "* Invalid selection. Please enter a number from 1 to 5." -ForegroundColor Red


}


}


} while ($true)


stop-transcript

MS SRV Disable IPv6 the correct way CVE-2024-38063

Posted by admin on 16.08.2024

How to calculate the registry value

Related Post

CRL check, Zertifikatsperrlisten Software, Certificate Revocation List Check Tool zum suchen aller geblockten CRL in Firmenumgebungen, crlcheck.exe

WINSCP you cannot see the WINSCP console on a multi monitor system

ChatGPT/Azure answers risk question about M365 and generates C# code


Try our new Certificate Revocation List Check Tool CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.