CVE-2022-33645 Windows TCP/IP Driver Denial of Service Vulnerability.
The Blackhole TCP/IP driver is installed on a machine with a supported operating system. The blackhole.sys kernel module, which is part of the Blackhole TCP/IP stack, has a flaw that can be exploited to crash the system and ultimately deny service to other machines on the local network.
Blackhole TCP/IP is a Microsoft Windows network driver that is included in Windows Vista and later operating systems. Blackhole was introduced in Windows Vista and later to support the new Remote Direct Memory Access Protocol (RDMA) protocol. Blackhole is not enabled by default, but it can be enabled via a registry setting.
Another way to enable Blackhole is by installing the blackhole.sys kernel module.
Denial of service via crashing the blackhole.sys kernel module can be accomplished by sending certain TCP packets to the blackhole.sys kernel module.
By sending specially crafted TCP packets to the blackhole.sys kernel module, an attacker can crash the blackhole.sys kernel module and ultimately deny service to other machines on the local network.
To exploit this vulnerability, an attacker needs to send TCP packets to the blackhole.sys kernel module.
Keen readers will notice that the blackhole.sys kernel module is installed as part of the Blackhole TCP/IP stack. Therefore, to exploit this vulnerability, an attacker has to be in possession of a vulnerable blackhole.sys kernel module.
To be in possession of a blackhole.
Blackhole TCP/IP stack and blackhole.sys kernel module
The blackhole.sys kernel module is a part of the Blackhole TCP/IP stack. It's installed on a machine with a supported operating system and enabled via a registry setting or by installing the blackhole.sys kernel module.
To exploit this vulnerability, an attacker has to be in possession of a vulnerable blackhole.sys kernel module.
Blackhole TCP/IP stack overview
The Blackhole TCP/IP stack is a Microsoft Windows network driver that can be installed on computers with supported operating systems. The blackhole.sys kernel module, which is part of the Blackhole TCP/IP stack, has a flaw that can be exploited to crash the system and ultimately deny service to other machines on the local network. Since this vulnerability could be exploited by attackers who have control over malicious packets, it poses a significant risk for organizations running vulnerable blackhole.sys kernel modules in their environments.
Timeline
Published on: 10/11/2022 19:15:00 UTC
Last modified on: 10/11/2022 19:16:00 UTC