Ref.

: TSB_2022_04
SECURITY VULNERABILITY
Date: 16/09/2022
ALERT BULLETIN
Edition: 0.4

Folio: 1/3
Public Security & Identity BU IPSec Vulnerabilities in
Windows OS

Role Name BU / Entity / Position Date

Established by: Silviu NUNU PSI/STA/IT Transverse 16/09/2022
Reviewed by: Jean-Paul BERNOVILLE PSI/STA/IT Transverse 19/09/2022
Reviewed by: Olivier PEREIRA PSI/STA/IT Transverse -
Approved by: Samuel VINSON PSI BU CSO -20/09/2022

Vulnerability synthesis
Synthesis
In their September release of security patches, Microsoft disclosed several vulnerabilities related to
remote access using the IPSec (Internet Protocol Security) protocol. Among them, 3 critical
vulnerabilities :

 CVE-2022-34718: A malicious remote and unauthorized actor who can send a specially
(unauthenticated) crafted IPv6 packet to a vulnerable host (Windows machine, IPSec enabled) will
potentially be able to run arbitrary code on the server side.
o CVSSv3: 9.8 (Critical)
o Impacted products: Check Annex A for a full list of vulnerable OS versions (provided they use
IPv6)

 CVE-2022-34721: A malicious remote and unauthorized actor who can send a specially
(unauthenticated) crafted IP packet to a vulnerable host (Windows machine, IPSec enabled) will
potentially be able to run arbitrary code on the server side.
o CVSSv3: 9.8 (Critical)
o Impacted products: Check Annex A for a full list of vulnerable OS versions.\

 CVE-2022-34722: A malicious remote and unauthorized actor who can send a specially
(unauthenticated) crafted IP packet to a vulnerable host (Windows machine, IPSec enabled) will
potentially be able to run arbitrary code on the server side.
o CVSSv3: 9.8 (Critical)
o Impacted products: Check Annex A for a full list of vulnerable OS versions.
Applicability
These vulnerabilities impact all Windows OS version starting on Windows Vista, Windows 7 (I.e. 2008,
2008R2 servers). Windows 2003 server and earlier versions of Windows OS implement only IKE
protocol and not the protocol extensions that seem to be impacted by the vulnerabilities)

Level of criticality
The threats come first from Internet/untrusted network connected to our systems. Remote
stations/operators should be considered as untrusted zones.
Back-end insiders need also be considered potential threat actors.
The fact that the attacker does not have to be authenticated prior to the attack, plus that no user
interaction is required, increases the likelihood (therefore criticality) of the vulnerability.

This document and the information it contains is the property of IDEMIA Identity & Security. It may not be used, reproduced or transmitted to a third
party without prior written approval.

IDEMIA Internal
 Ref.: TSB_2022_04
SECURITY VULNERABILITY
Date: 16/09/2022
ALERT BULLETIN
Edition: 0.4

Folio: 2/3
Public Security & Identity BU IPSec Vulnerabilities in
Windows OS

Patch or workaround availability

Microsoft already released security patches to address these vulnerabilities.
It is strongly recommended that you immediately patch the vulnerable Windows Operating
Systems.
As a temporary mitigation, or compensating control in case the patches cannot be applied for the 3
Critical Vulnerabilities (e.g – when the OS is out of standard support and no extended support was
purchased), you need to:

 Disable IPSec on all Windows Servers. All Windows servers facing external
systems or untrusted networks are top priorities (usually in DMZ, presentation and
application tiers, infrastructure servers (MS active directory, DNS, NTP …). Patching
the remaining Windows servers (usually in Data Tiers and administration tiers) is
highly recommended. If your system implements an IPSec connection on a Windows
server, a specific analysis with a security engineer shall be performed.
o To disable the services on one server, follow the manual procedure
below:
 Open the "Services" management console.
 Scroll to the name of the services (IPsec Policy Agent, IKE and AuthIP IPsec
Keying Module)
 Right-click Properties (or double-click)
 Change the Startup Type: to disabled.
 Apply.
 Click "Stop"

 Assess whether the Workstations need IPSec (and disable it on those who
don’t). By default, these services are enabled and running.
Programmes shall report to their management how they handle this vulnerability: i.e. deploy patches or
apply the mitigation and why they did it (instead of applying patches).

Link:
 Windows IPSec critical vulnerabilities:
CVE-2022-34718 - Security Update Guide - Microsoft - Windows TCP/IP Remote Code Execution
Vulnerability
CVE-2022-34721 - Security Update Guide - Microsoft - Windows Internet Key Exchange (IKE) Protocol
Extensions Remote Code Execution Vulnerability
CVE-2022-34722 - Security Update Guide - Microsoft - Windows Internet Key Exchange (IKE) Protocol
Extensions Remote Code Execution Vulnerability
 Windows security update bulletin:
September 2022 Security Updates - Release Notes - Security Update Guide - Microsoft

This document and the information it contains is the property of IDEMIA Identity & Security. It may not be used, reproduced or transmitted to a third
party without prior written approval.

IDEMIA Internal
 Ref.: TSB_2022_04
SECURITY VULNERABILITY
Date: 16/09/2022
ALERT BULLETIN
Edition: 0.4

Folio: 3/3
Public Security & Identity BU IPSec Vulnerabilities in
Windows OS

Annex A
The list of main vulnerable Operating Systems

Product Support Download

Monthly Rollup
Windows Server 2012 R2 ESU Security Only
Monthly Rollup
Windows Server 2012 ESU Security Only
Monthly Rollup
Windows Server 2008 R2 Service Pack 1 EOS Security Only
Monthly Rollup
Windows Server 2008 Service Pack 2 EOS Security Only
Windows Server 2008 Service Pack 2 EOS Monthly Rollup
Windows RT 8.1 ESU Monthly Rollup
Monthly Rollup
Windows 8.1 for x64-based systems ESU Security Only
Monthly Rollup
Windows 8.1 for 32-bit systems ESU Security Only
Monthly Rollup
Windows 7 for x64-based Systems Service Pack 1 EOS Security Only
Monthly Rollup
Windows 7 for 32-bit Systems Service Pack 1 EOS Security Only
Windows Server 2016 ESU Security Update
Windows 10 Version 1607 EOS Security Update
Windows 10 Standard Security Update
Windows 10 Version 21H2 Standard Security Update
Windows 11 Standard Security Update
Windows 10 Version 20H2 EOS Security Update
Security Hotpatch
Windows Server 2022 Azure Edition Core Hotpatch Standard Update
Windows Server 2022 Standard Security Update
Windows 10 Version 21H1 Standard Security Update
Windows Server 2019 Standard Security Update
Windows 10 Version 1809 EOS Security Update
Legend:
EOS: End of Support (meaning extended support already ended)
ESU: Extended security update
For other Windows OS, please refer to the Microsoft security update bulletin.

This document and the information it contains is the property of IDEMIA Identity & Security. It may not be used, reproduced or transmitted to a third
party without prior written approval.

IDEMIA Internal