Researcher releases PoC code for Windows IKE RCE (CVE-2022-34721)

A security researcher from the Cyber Security Research Company, 78researchlab released CVE-2022-34721 PoC exploit code for critical Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution vulnerability affecting multiple Windows versions.

According to Wikipedia, Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS (preferably with DNSSEC) ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived.

Microsoft warned that a threat actor can exploit the flaw (CVSSv3 base score of 9.8) to execute arbitrary code on the system and urges users to install patches immediately. The company acknowledged Yuki Chen with Cyber KunLun for the discovery of the flaw.

By sending a specially crafted IP packet to a Windows node where IPSec is enabled, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVE-2022-34721 affects IKEv1 only. However, all Windows Servers are affected because they accept both V1 and V2 packets. The bug was fixed by Microsoft on the September Patch Tuesday.

Today, 78ResearchLab publicly released the PoC code for this flaw on GitHub and will publish the analysis report very soon. In light of the release of the PoC, users that use vulnerable Windows versions are recommended to prioritize the patches to mitigate active exploitation attempts.