CVE-2021-24074 Overview
CVE-2021-24074 is a critical remote code execution vulnerability affecting the Windows TCP/IP network stack. This vulnerability exists in the IPv4 source routing component of the Windows TCP/IP driver (tcpip.sys), allowing a remote attacker to execute arbitrary code on vulnerable systems without any user interaction or authentication.
The vulnerability stems from improper handling of IPv4 packets with specific source routing options. An attacker can craft malicious network packets that, when processed by the vulnerable TCP/IP stack, trigger memory corruption leading to arbitrary code execution at the kernel level. Given that this vulnerability can be exploited remotely over the network without authentication, it represents a significant threat to enterprise environments running affected Windows versions.
Critical Impact
Remote attackers can execute arbitrary code with kernel-level privileges on vulnerable Windows systems by sending specially crafted IPv4 packets, potentially leading to complete system compromise without any user interaction.
Affected Products
- Microsoft Windows 10 (multiple versions including 1607, 1803, 1809, 1909, 2004, 20H2)
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows RT 8.1
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016 (including versions 1909 and 2004)
- Microsoft Windows Server 2019
Discovery Timeline
- February 25, 2021 - CVE-2021-24074 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-24074
Vulnerability Analysis
This remote code execution vulnerability affects the Windows TCP/IP implementation, specifically in how the network stack processes IPv4 packets containing source routing options. The vulnerability resides in the kernel-mode driver tcpip.sys, which is responsible for handling all TCP/IP network communications on Windows systems.
When a malformed IPv4 packet with specially crafted source routing headers is received, the TCP/IP stack fails to properly validate and handle the routing information. This improper handling results in memory corruption within the kernel address space. Since the vulnerability operates at the kernel level, successful exploitation grants the attacker SYSTEM-level privileges, the highest privilege level on Windows systems.
The network-based attack vector makes this vulnerability particularly dangerous in enterprise environments where systems may be exposed to untrusted network traffic. No authentication is required, and the attack can be initiated without any user interaction on the target system.
Root Cause
The root cause of CVE-2021-24074 lies in improper input validation within the IPv4 source routing implementation in the Windows TCP/IP stack. IPv4 source routing is a mechanism that allows the sender of a packet to specify the route the packet should take through the network. The vulnerability occurs when the TCP/IP driver processes packets containing malformed or unexpected source routing options.
The driver fails to properly validate boundary conditions and data structures when parsing source routing information, leading to memory corruption. This is a classic case of insufficient input validation in kernel-mode code, where malicious input can manipulate internal memory structures used by the network stack.
Attack Vector
The attack vector for CVE-2021-24074 is network-based, requiring the attacker to send specially crafted IPv4 packets to a vulnerable Windows system. The attack characteristics include:
- Remote Exploitation: The attacker can be located anywhere on the network that can route packets to the target system
- No Authentication Required: The vulnerable code path is reached during packet processing before any authentication occurs
- No User Interaction: The target system user does not need to perform any action; simply having the system connected to the network is sufficient
- Kernel-Level Execution: Successful exploitation results in code execution with kernel privileges
The attacker crafts IPv4 packets with malicious source routing options designed to trigger the memory corruption condition. When the vulnerable Windows system receives and processes these packets, the TCP/IP stack's improper handling leads to exploitation. The exploitation mechanism involves sending malformed IPv4 packets that abuse the source routing functionality to corrupt kernel memory and achieve code execution.
Detection Methods for CVE-2021-24074
Indicators of Compromise
- Unusual IPv4 packets with source routing options (IP options 131/LSRR or 137/SSRR) targeting Windows systems
- Unexpected system crashes or blue screens (BSOD) related to tcpip.sys
- Signs of kernel-level code execution such as unauthorized driver loading or kernel memory manipulation
- Network traffic anomalies showing malformed IPv4 packets from external sources
Detection Strategies
- Monitor network traffic for IPv4 packets containing Loose Source Record Route (LSRR) or Strict Source Record Route (SSRR) options
- Implement intrusion detection system (IDS) rules to detect malformed IPv4 source routing packets
- Enable Windows kernel crash dump analysis to identify exploitation attempts that cause system instability
- Deploy network packet capture at perimeter firewalls to log and analyze suspicious IPv4 traffic patterns
Monitoring Recommendations
- Configure network security monitoring tools to alert on IPv4 source routing packet anomalies
- Implement endpoint detection and response (EDR) solutions to monitor for kernel-level exploitation indicators
- Review Windows Event Logs for unexpected tcpip.sys errors or system crashes
- Establish baseline network traffic patterns to detect deviations that may indicate exploitation attempts
How to Mitigate CVE-2021-24074
Immediate Actions Required
- Apply the Microsoft security update released in February 2021 immediately on all affected systems
- If patching is not immediately possible, implement the recommended workaround to disable IPv4 source routing
- Prioritize patching for systems directly exposed to untrusted networks or the internet
- Conduct an inventory of all Windows systems to identify those running affected versions
Patch Information
Microsoft has released security updates to address CVE-2021-24074 as part of the February 2021 Patch Tuesday release. The patches are available through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. Organizations should prioritize deployment of these updates given the critical severity and network-based attack vector.
For detailed patch information and download links, refer to the Microsoft Security Advisory for CVE-2021-24074.
Workarounds
- Disable IPv4 source routing at the operating system level using registry modifications
- Block IPv4 packets containing source routing options (IP option types 131 and 137) at network perimeter firewalls
- Implement network segmentation to limit exposure of vulnerable systems to untrusted traffic
- Consider using IPsec to authenticate network traffic where applicable
# Disable IPv4 source routing via Windows Registry
# Run these commands in an elevated command prompt
# Disable source routing for IPv4
netsh int ipv4 set global sourceroutingbehavior=drop
# Alternatively, set the registry key directly
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 2 /f
# After applying the workaround, restart the system for changes to take effect
# Note: This workaround may impact legitimate source routing functionality if used in your environment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
