CVE-2020-16898
Discovered: Proof-of-Concept released & vulnerability patched by Microsoft on October 13
Impacted Tech: Windows IPv6 stack | Windows 10 & Windows Server 2019
Attacker Location: Anywhere they can communicate directly with the vulnerable machine
Highlights: Potentially wormable
The vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. To trigger the vulnerability, the packets must use Option Type 25 (Recursive DNS Server Option) and the length field value must be even.
What should I do? Apply the patch as quickly as possible. If patching is not possible, “the best mitigation is disabling IPv6, either on the NIC or at the perimeter of the network by dropping ipv6 traffic if it is non-essential. Additionally, ICMPv6 Router Advertisements can be blocked or dropped at the network perimeter.”
To detect malicious traffic: Check ICMPv6 traffic for packets with an ICMPv6 Type field of 134, and ICMPv6 Option field of 25, which indicates a Router Advertisement and Recursive DNS Server option. If the RDNSS option has a length field value that is even, drop or flag the packet.
References:
MSFT Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
Proof of Concept: http://blog.pi3.com.pl/?p=780
McAfee’s Article (source of the above quotes): https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/
Vulnerability Alert 