Professional Documents
Culture Documents
Vulnerability Alert Windows IPSec Ed0.4
Vulnerability Alert Windows IPSec Ed0.4
: TSB_2022_04
SECURITY VULNERABILITY
Date: 16/09/2022
ALERT BULLETIN
Edition: 0.4
Folio: 1/3
Public Security & Identity BU IPSec Vulnerabilities in
Windows OS
Vulnerability synthesis
Synthesis
In their September release of security patches, Microsoft disclosed several vulnerabilities related to
remote access using the IPSec (Internet Protocol Security) protocol. Among them, 3 critical
vulnerabilities :
CVE-2022-34718: A malicious remote and unauthorized actor who can send a specially
(unauthenticated) crafted IPv6 packet to a vulnerable host (Windows machine, IPSec enabled) will
potentially be able to run arbitrary code on the server side.
o CVSSv3: 9.8 (Critical)
o Impacted products: Check Annex A for a full list of vulnerable OS versions (provided they use
IPv6)
CVE-2022-34721: A malicious remote and unauthorized actor who can send a specially
(unauthenticated) crafted IP packet to a vulnerable host (Windows machine, IPSec enabled) will
potentially be able to run arbitrary code on the server side.
o CVSSv3: 9.8 (Critical)
o Impacted products: Check Annex A for a full list of vulnerable OS versions.\
CVE-2022-34722: A malicious remote and unauthorized actor who can send a specially
(unauthenticated) crafted IP packet to a vulnerable host (Windows machine, IPSec enabled) will
potentially be able to run arbitrary code on the server side.
o CVSSv3: 9.8 (Critical)
o Impacted products: Check Annex A for a full list of vulnerable OS versions.
Applicability
These vulnerabilities impact all Windows OS version starting on Windows Vista, Windows 7 (I.e. 2008,
2008R2 servers). Windows 2003 server and earlier versions of Windows OS implement only IKE
protocol and not the protocol extensions that seem to be impacted by the vulnerabilities)
Level of criticality
The threats come first from Internet/untrusted network connected to our systems. Remote
stations/operators should be considered as untrusted zones.
Back-end insiders need also be considered potential threat actors.
The fact that the attacker does not have to be authenticated prior to the attack, plus that no user
interaction is required, increases the likelihood (therefore criticality) of the vulnerability.
This document and the information it contains is the property of IDEMIA Identity & Security. It may not be used, reproduced or transmitted to a third
party without prior written approval.
IDEMIA Internal
Ref.: TSB_2022_04
SECURITY VULNERABILITY
Date: 16/09/2022
ALERT BULLETIN
Edition: 0.4
Folio: 2/3
Public Security & Identity BU IPSec Vulnerabilities in
Windows OS
Disable IPSec on all Windows Servers. All Windows servers facing external
systems or untrusted networks are top priorities (usually in DMZ, presentation and
application tiers, infrastructure servers (MS active directory, DNS, NTP …). Patching
the remaining Windows servers (usually in Data Tiers and administration tiers) is
highly recommended. If your system implements an IPSec connection on a Windows
server, a specific analysis with a security engineer shall be performed.
o To disable the services on one server, follow the manual procedure
below:
Open the "Services" management console.
Scroll to the name of the services (IPsec Policy Agent, IKE and AuthIP IPsec
Keying Module)
Right-click Properties (or double-click)
Change the Startup Type: to disabled.
Apply.
Click "Stop"
Assess whether the Workstations need IPSec (and disable it on those who
don’t). By default, these services are enabled and running.
Programmes shall report to their management how they handle this vulnerability: i.e. deploy patches or
apply the mitigation and why they did it (instead of applying patches).
Link:
Windows IPSec critical vulnerabilities:
CVE-2022-34718 - Security Update Guide - Microsoft - Windows TCP/IP Remote Code Execution
Vulnerability
CVE-2022-34721 - Security Update Guide - Microsoft - Windows Internet Key Exchange (IKE) Protocol
Extensions Remote Code Execution Vulnerability
CVE-2022-34722 - Security Update Guide - Microsoft - Windows Internet Key Exchange (IKE) Protocol
Extensions Remote Code Execution Vulnerability
Windows security update bulletin:
September 2022 Security Updates - Release Notes - Security Update Guide - Microsoft
This document and the information it contains is the property of IDEMIA Identity & Security. It may not be used, reproduced or transmitted to a third
party without prior written approval.
IDEMIA Internal
Ref.: TSB_2022_04
SECURITY VULNERABILITY
Date: 16/09/2022
ALERT BULLETIN
Edition: 0.4
Folio: 3/3
Public Security & Identity BU IPSec Vulnerabilities in
Windows OS
Annex A
The list of main vulnerable Operating Systems
This document and the information it contains is the property of IDEMIA Identity & Security. It may not be used, reproduced or transmitted to a third
party without prior written approval.
IDEMIA Internal