Remote Code Execution Vulnerability Found in Windows Internet Key Exchange

Written by

A series of exploits have been found in the wild targeting Windows Internet Key Exchange (IKE) Protocol Extensions.

According to a new advisory recently shared by security company Cyfirma with Infosecurity, the discovered vulnerabilities could have been exploited to target almost 1000 systems.

The attacks observed by the company would be part of a campaign that roughly translates to “bleed you" by a Mandarin-speaking threat actor. 

The Cyfirma Research team has also observed unknown hackers sharing an exploit link on underground forums, which could be used to target vulnerable systems.

“A critical vulnerability has been identified in Microsoft Windows IKE Protocol Extensions,” reads the advisory.

“This vulnerability [...] affects unknown code of the IKE Protocol Extensions component, manipulation of which leads to remote code execution (RCE).”

In particular, Cyfirma wrote that the vulnerability lies in the code used to handle the IKEv1 [...] protocol, which is deprecated but compatible with legacy systems.

The company has also clarified that while IKEv2 is not impacted, the vulnerability affects all Windows Servers because they accept both V1 and V2 packets, making the flaw critical.

“The [proof of concept] exploits a memory corruption issue with the svchost of the vulnerable system,” reads the technical write-up.

“Memory corruption occurs when Page Heap (a debugging plug-in) in the system is enabled for the Internet Key Exchange process. The exe process hosting the Internet Key Exchange protocol service crashes while attempting to read data beyond an allocated buffer.”

In terms of attribution, Cyfirma said the threat actor is currently unknown but also that the team observed connections between the “bleed you” campaign and Russian cyber-criminals.

“From a strategic viewpoint on changing geopolitical scenarios from external threat landscape management, Russia and China are observed to form a strategic relationship,” wrote the company.

Cyfirma added that Microsoft has allocated CVE-2022-34721 to the issue and fixed it by adding a check on incoming data length and skipping processing of that data if the length is too small.

What’s hot on Infosecurity Magazine?