Threat Response: CVE-2020-16898 (Bad Neighbor) – Remote Code Execution in Windows TCP/IP stack

14-10-2020

A SAFE DIGITAL JOURNEY

On the 13th October Microsoft revealed the existence of a critical vulnerability in the TCP/IP stack of Windows 10 and specific Windows Server versions [1]. The vulnerability is similar to the old Ping of Death vulnerability fixed back in 2013, which also relied on packets with larger than expected data[2]. It has been assigned the identifier CVE-2020-16898 and at the time of writing, proof of concept is not publicly available.

The vulnerability exists due to a logic flaw in the tcpip.sys driver when handling ICMPv6 router advertisement packets[3]. The vulnerability can be triggered by crafting a router advertisement packet which contains a large Recursive DNS Server record, which results with a buffer overflow.

Microsoft patched the vulnerability in this week’s security updates [1].

Impact
By successfully exploiting this vulnerability, an attacker can perform reliable denial of service on the target systems. Microsoft has stated that achieving remote code execution is possible, but difficult due to stack protections in place. A successful exploit would require an information leak to bypass stack protection.

If remote code execution is achieved by an attacker, this enables them to run arbitrary commands on the victim system and thus access any data or functionality on it. This can be used for infiltration, ransomware, exfiltration of data and other malicious activities.

Due to the potential for remote code execution, we consider the impact of this vulnerability to be high.

Risk
No public exploit code is available currently, however Microsoft has shared a proof-of-concept with a number of research groups which results in an immediate Blue Screen of Death. In order to exploit this vulnerability, an attacker must be able to communicate with the target over IPv6, either via the Internet or on a local network. Please note that IPv6 is enabled by default on local networks on most machines.

Due to the need for an additional information leak to craft a reliable code execution exploit, we consider the risk of this vulnerability to be medium.

Mitigation
Install updates as soon as they become available. Meanwhile configure the Windows Firewall to discard router advertisement packets[1]. This can be done with the following command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Once the patch has been installed, revert the setting as follows:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable

Please be aware that if your Windows system depends on IPv6 to function, disabling Router Advertisements might hinder IPv6 connectivity as long as this workaround is in place.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Sources:
[1]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
[2]: https://www.cloudflare.com/en-gb/learning/ddos/ping-of-death-ddos-attack/
[3]: https://news.sophos.com/en-us/2020/10/13/top-reason-to-apply-october-2020s-microsoft-patches-ping-of-death-redux/

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.