CVE-2020-16898 – Windows TCP/IP Remote Code Execution Vulnerability

Researches and investigations,

Overview

Yesterday, on October 13, 2020, Microsoft announced a critical vulnerability in the Windows IPv6 stack that allows an attacker to send maliciously crafted packets to potentially execute arbitrary code on a remote system. The proof of concept provided to MAPP (Microsoft Active Protection Program) contributors is extremely simple and completely reliable. This vulnerability leads to a BSOD (blue screen of death); exploitation is possible for those who manage to bypass the protections of Windows 10 and Windows Server 2019. This exploit, which allows remote code execution, will be widespread and very significant since this type of error can become vulnerable to worms.

Affected Version:

  • Microsoft Window Server 2019 (1903/1909/2004)
  • Microsoft Windows 10 (1709/1803/1809/1903/1909/2004)

CVSS Score: 9.0/10

Vulnerability Detail:

“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.” – McAfee team.

Possible victims

To understand who the potential victims are and their number, you need to look “under the hood.”

According to shodan.io data, we see the number of 53,549 Windows 10 servers and 2,700 Windows Server 2019 servers.

To get a broader picture, we’ve collected data from different sources. If you look at the ZoomEye website, you can see 125,784 potential vulnerable servers.

Mitigation

Fixing a vulnerability is always the first and most effective course of action. When this is not possible in the case of ZeroDay vulnerabilities, the best solution is to disable IPv6 either on the network adapter or at the network perimeter by dropping ipv6 traffic. Also, ICMPv6 router advertisements can be blocked or dropped at the network perimeter. Windows Defender and Windows Firewall cannot block proof of concept at startup. It is currently unknown if this attack will succeed by tunneling ICMPv6 traffic over IPv4 using technologies such as 6to4 or Teredo.

You can disable ICMPv6 RDNSS to prevent attackers from exploiting the vulnerability with the PowerShell command below. This workaround is only available for Windows 1709 and above. 

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

You can disable the workaround with the PowerShell command below.

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable

Search:

Generic selectors
Exact matches only
Search in title
Search in content
Search in posts
Search in pages

Tags:

FEEL FREE TO CONTACT US