Microsoft Fixes Critical TCP/IP Vulnerability
A new, potentially wormable remote code execution vulnerability in the Windows TCP/IP stack was patched this week.
Microsoft fixed 87 vulnerabilities across 11 different products this week but the one you're likely going to keep hearing about - and the one it can be argued merits the most attention - is CVE-2020-16898.
The bug, a critical remote code execution vulnerability in Windows 10 and Windows Server 2019, could be exploited by sending a packet to a vulnerable machine.
The vulnerability, which is already being referred to as “Bad Neighbor” and “Ping of Death Redux” in some circles was one of 11 critical remote code execution bugs fixed by the company on Tuesday as part of the company's monthly Patch Tuesday event.
The bug stems from an issue with Windows TCP/IP stack, specifically the fact that it improperly handles ICMPv6 router advertisement packets. ICMPv6 is a part of IPv6 that performs error reporting and diagnostic functions. Router Advertisements are messages generated by IPv6 routers to advertise their presence with link and Internet parameters. In this case, simply sending a specially crafted packet could lead to code execution on a vulnerable system, something which in turn could likely lead to elevated privileges.
There are no mitigations according to Microsoft but there are workarounds, including outright disabling ICMPv6 RDNSS - Microsoft instructs how to do so via a PowerShell command on Windows 1709 systems and above – that should theoretically prevent attackers from exploiting the vulnerability.
Government agencies including the United States Computer Emergency Readiness Team - part of CISA - and U.S. Cyber Command encouraged administrators to update any Microsoft software as soon as possible to prevent a remote compromise.
Update your Microsoft software now so your system isn't exploited: CVE-2020-16898 in particular should be patched or mitigated immediately, as vulnerable systems could be compromised remotely. https://t.co/ZwFq4WCUw7
— U.S. Cyber Command (@US_CYBERCOM) October 13, 2020
While there’s no evidence the vulnerability has been exploited in the wild yet, several proof-of-concepts for the vulnerability, some which result in an immediate Blue Screen of Death, or BSOD, exist.
The vulnerability sounds remarkably similar to another vulnerability from 2013 (CVE-2013-3183) in Windows TCP/IP stack, an IPv6 version of the Ping of Death attack that resulted in a denial of service - hence the Redux name, in which malformed ICMPv6 packets weren't processed correctly.