CVE-2021-24086
1. Set global reassembly limit to 0
The following command disables packet reassembly. Any out-of-order packets are dropped. Valid scenarios should not exceed more than 50 out-of-order fragments. We recommend testing prior to updating production systems.
Netsh int ipv6 set global reassemblylimit=0
Further netsh guidance can be found at netsh.
Impact of workaround
There is a potential for packet loss when discarding out-of-order packets.
How to undo the workaround
To restore to default setting “267748640”:
Netsh int ipv6 set global reassemblylimit=267748640
2. Configure firewall or load balancers to disallow IPv6 UDP fragmentation
CVE-2021-24074
1. Set sourceroutingbehavior to “drop”
Use the following command:
netsh int ipv4 set global sourceroutingbehavior=drop
For more information about ipv4 registry settings see Additional Registry Settings
Impact of workaround
IPv4 Source routing is considered insecure and is blocked by default in Windows; however, a system will process the request and return an ICMP message denying the request. The workaround will cause the system to drop these requests altogether without any processing.
How to undo the workaround
To restore to default setting “Dontforward”:
netsh int ipv4 set global sourceroutingbehavior=dontforward
2. Configure firewall or load balancers to disallow source routing requests
CVE-2021-24094
1. Set global reassemblylimit to 0
The following command disables packet reassembly. Any out-of-order packets are dropped. Valid scenarios should not exceed more than 50 out-of-order fragments. We recommend testing prior to updating production systems.
Netsh int ipv6 set global reassemblylimit=0
Further netsh guidance can be found at netsh.
Impact of workaround
There is a potential for packet loss when discarding out-of-order packets.
How to undo the workaround
To restore to default setting “267748640”:
Netsh int ipv6 set global reassemblylimit=267748640
2. Configure firewall or load balancers to disallow IPv6 UDP fragmentation |