Hello, welcome to the Wednesday, February 10th, 2021 edition of the Sands and at Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, Microsoft Patch Tuesday, of course, top of the news. Now, the number of vulnerabilities is pretty small. Microsoft fixed

56 vulnerabilities, 11 of which are rated critical. One has already been exploited, and

six were previously disclosed. But what's really kind of interesting with this particular patch set are three different

vulnerabilities that all have a CVSS score of 9.8.

The first one, Microsoft DNS server, another remote code execution vulnerability. Last one we had was back in July, if you remember.

And back then, well, we're sort of lucky was never really exploited.

I don't think there was ever sort of a full remote code execution exploit released.

Microsoft does rate exploitation likely for this vulnerability, CVE

2021-2478.

The second interesting vulnerability is a remote code execution in the TCP IP stack, and yes,

it affects source routing.

Source routing is one of those features you probably should block at your routers.

Don't really see it used for anything good these days or for the last 20 or so years.

Essentially, source routing allows the sender of a packet to define which routers a packet will be routed through, and many routers will outright just drop the packets or at least ignore it.

Windows will also ignore the option, but it will still return an ICMP message indicating that it denied the request, and apparently

there is a remote code execution here as the packet is being parsed.

The real workaround here is probably just not to allow any IPV4 options.

The official workaround is to block packets that have the source routing option set.

And then third, well, IPV6.

If IPV4 still has vulnerabilities, IPV6, of course, can't stand behind.

CVE 2021, 24094, which is patched here, does allow remote code execution via oddly fragmented packets.

...