These newly disclosed vulnerabilities in tcpip.sys are a really interesting case study in why holistic security matters. Sure you should still be patching, but are your firewalls and IPs systems properly configured? If so, these probably aren't an issue 1/ msrc-blog.microsoft.com/2021…

First, let's look at CVE-2021-24094/24086. Both involve the reassembly of packet fragments. If you've never dealt with issues IP fragmentation and never had to worry about the MTU across the network path, that's okay. It was a common thing many moons ago, but not much today. 2/

In IPv4 there are lots of variations in how fragments are handled, particularly for out of order delivery. It turns out the original standards weren't very clear on this so everybody did what was easy. But as IPv6 was being built, the standard is clear: no overlaps. 3/

We still have an issue of how long to keep IPv6 packet fragments in memory for. It turns out this is where the vuln is at. By sending too many packet fragments out of order, they must be stored somewhere pending reassembly at a later time (when all fragments are present). 4/

But here's the rub: you likely aren't seeing legitimate IPv6 fragmentation at all (if so I'd be REALLY interested to know what the use case is). Take a look at your packet capture and determine "do I have these?" If not, block them from transiting network devices. 5/

Now on to CVE-2021-24074. This deals with IPv4 source routing, another blast from the past. Back in the day, some engineer thought "we need a way to specify in the IP header that we are smarter than the routers handling our packets." I'm sure it solved some problem at the time 6/