A look at CVE-2023–23415 — a Windows ICMP vulnerability + mitigations (which is not a cyber meltdown)

Yesterday Microsoft dropped a patch for a vulnerability found by @hexnomad@infosec.exchange. It’s a great vuln, in theory allowing code execution over ICMP. It also sounds really scary, as it’s a high CVSS score in Windows OS on a commonly used protocol.

Time to step in front of the vulnerability hype train

I’ve had a quick reverse engineer of the patch, using my deeply amateur skills, and wanted to add some parameters around exploitation scenarios.

Some parameters:

• This vulnerability doesn’t apply for a fresh Windows OS install, either desktop or server.
• You need an app listening on raw sockets to be vulnerable — think a port sniffer (app processing all network traffic) or similar. To be clear, this will exist in enterprises (hi people running Wireshark etc)… but it shouldn’t be every Windows PC on earth as a scope.
• For an app to be listening on raw sockets, it needs admin rights.
• You need to allow ICMP inbound to be vuln, and the packets to trigger are quite unusual.

So in terms of mitigations:

• You don’t allow ICMP inbound from the internet to your Windows boxes, right? You may firewall this.
• You have packet filtering and…