Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415It seems that all current WIndows versions are affected (most likely also old versions out of support). But there's is one prerequisite to exploit the vulnerability, an application needs to be bound to a raw socket.
Would be interesting to know what the cause is, but I guess we'll never get access to that, it's not open source.
OK, I ran netstat (portion attached). There are 4 statused as "ESTABLISHED," one that is "FIN_WAIT_1" and the rest are "TIME_WAIT." What should one look for? I see nothing with "RAW" in it.
The netstat command should have multiple options, but I don't know if the windows netstat is able to list the socket type.
Since the RAW was in IPv6 , I used -s to get statistics (attached). Google showed [-w] for socket type = RAW, but: netstat -w just gave a return of allowed extensions of which -w was not one.
Found this from Microsoft:
For IPv6 (address family of AF_INET6), an application receives everything after the last IPv6 header in each received datagram regardless of the IPV6_HDRINCL socket option. The application does not receive any IPv6 headers using a raw socket.Jan 18, 2022
I can't claim to understand it, but the last sentence seems clear if reliable.
@ madires, Thank you so much. This is a new word for me.
If I'm understanding the documentation for raw sockets in Windows correctly, then any ICMP based application would open a raw socket.