Remote code execution vulnerability found in Microsoft’s ICMP handling

Overview

Microsoft’s latest patching cycle included a fix for a Critical vulnerability (CVE-2023–23415) in Windows Internet Control Message Protocol (ICMP) handling. ICMP is the protocol used by Ping and other low-level networking tools.

Exploitation requires an attacker to send a carefully crafted ICMP packet to a target machine and this greatly restricts the practicality of such an attack.

Most organisations will already block this type of traffic to their network at the firewall level and home users will be safe behind their router’s NAT. Cloud-based services are also likely to be safe as Azure and Amazon Web Services (AWS) don’t allow inbound ICMP by default.

Additionally, in order to trigger the vulnerable code path, an application on the target must be bound to a raw socket which is not very common behaviour and requires admin permissions.

Impact

If a victim is using certain applications which bind to a raw socket, an attacker with network-level access may be able to execute code on the device.

Vulnerability Detection

A fix was released with the March updates so any devices not yet updated will still be vulnerable.

Affected Products

Microsoft Windows ICMP

Containment, Mitigations & Remediations

– Apply the March updates
– Ensure inbound ICMP is blocked on perimeter firewalls
– As policy, prevent users from having administrative access where not needed.

Indicators of Compromise

No exploitation known.

Threat Landscape

A critical remote code execution (RCE) vulnerability in ICMP handling initially sounds quite alarming, reminiscent of the old Ping of Death attack from the ’90s but the requirements to exploit this vulnerability limit its use substantially.
An attacker effectively needs to be on the local network already and from that position, a great number of other options are available to them.

The researcher who reported the bug to Microsoft has noted on social media that while provoking a crash is easy, exploiting it reliably for code execution is a lot more difficult.

Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability