Comodo Internet Security Zero-Day Vulnerability Allows Remote System Crashes
A critical zero-day vulnerability in Comodo Internet Security's Inspect.sys driver, dubbed ComoDoS, enables remote attackers to crash Windows systems via a malformed IPv6 packet.
A previously undisclosed zero-day vulnerability, codenamed ComoDoS, has been identified within the Comodo Internet Security firewall driver, Inspect.sys. This flaw allows remote attackers to trigger a denial-of-service (DoS) condition, leading to a complete system crash (Blue Screen of Death) on affected Windows machines. The vulnerability was discovered by security researcher Marcus Hutchins, who has publicly detailed the exploit mechanism and provided a proof-of-concept (PoC).
The core of the ComoDoS vulnerability lies in how the Inspect.sys driver parses IPv6 extension headers. When processing these optional headers, the driver uses a variable to track the payload length. Crucially, this variable is not adequately validated against the lengths of the chained extension headers. An attacker can craft a malformed IPv6 packet where the declared payload length is smaller than the actual combined length of the extension headers. This discrepancy causes an integer underflow in the unsigned 64-bit payload length field, causing it to wrap around to an extremely large value (approximately 18.4 quintillion).
This integer underflow occurs during the packet parsing phase, which happens before any firewall rules are enforced. Consequently, the vulnerability bypasses all configured firewall rules, allowing the malicious packet to reach the vulnerable driver. The driver's attempt to process the malformed header with the drastically incorrect length value results in a kernel panic, leading to a system crash. The exploit is notably concise, requiring only a few lines of Python code using the Scapy library to construct and send the malicious IPv6 packet.
Marcus Hutchins specifically chose the Destination Options extension header for his exploit. This header type is less likely to be filtered by intermediate network devices, increasing the probability that the crafted packet will reach its intended target across the internet. While the primary impact is a denial-of-service, Hutchins also identified potential paths for out-of-bounds (OOB) read and write operations stemming from the same underflow. However, exploitation for remote code execution (RCE) is considered highly constrained due to factors like data truncation and the inherent nature of kernel-level operations.
Despite multiple attempts to disclose the vulnerability and provide a patch suggestion to Comodo's security team, Hutchins reported receiving no acknowledgment. As of the time of reporting, no official patch has been released by Comodo, leaving users of Comodo Internet Security exposed. Organizations are advised to monitor for anomalous IPv6 traffic and consider implementing network-level controls that block malformed IPv6 extension headers as a temporary mitigation strategy.
The discovery of ComoDoS was part of broader research into Bring Your Own Vulnerable Driver (BYOVD) attack surfaces, utilizing an AI-assisted analysis pipeline. While auditing older versions of Comodo's drivers, architectural weaknesses were noted, prompting a deeper manual analysis of the current driver which ultimately led to this critical finding. The public availability of a full PoC on GitHub allows security professionals to test their defenses and understand the exploit's mechanics.