Windows TCP/IP Remote Code Execution Vulnerability (CVE-2020-16898) Threat Alert

Windows TCP/IP Remote Code Execution Vulnerability (CVE-2020-16898) Threat Alert

November 2, 2020 | Mina Hao

Overview

On October 13, 2020 (local time), Microsoft fixed a critical vulnerability dubbed Bad Neighbor (CVE-2020-16898) in the Windows TCP/IP stack in its latest monthly patch update. An attacker might execute arbitrary code on a remote system by sending maliciously crafted ICMPv6 Router Advertisement packets.

McAfee said the proof-of-concept code shared with MAPP (Microsoft Active Protection Program) members is both simple and reliable and can result in an immediate BSOD (Blue Screen of Death)

According to Microsoft, the CVSS base score of this vulnerability is 9.8: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

Vulnerability Description

A vulnerability exists when  the  Windows TCP/IP stack  improperly handles  ICMPv6 Router Advertisement  packets that use Option Type 25 (Recursive DNS Server  Option)  and a length field value that is even.

When an even length value is provided, the Windows TCP/IP stack incorrectly advances the network buffer by an amount that is 8 bytes too few. This is because the stack internally counts in 16-byte increments, failing to account for the case where a non-RFC compliant length value is used. This mismatch results in the stack interpreting the last 8 bytes of the current option as the start of a second option, ultimately leading to a buffer overflow and potential RCE.

Reference link:

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/

Affected Versions

  • Windows 10 Version 1709 for 32-bit Systems
  • Windows 10 Version 1709 for ARM64-based Systems
  • Windows 10 Version 1709 for x64-based Systems
  • Windows 10 Version 1803 for 32-bit Systems
  • Windows 10 Version 1803 for ARM64-based Systems
  • Windows 10 Version 1803 for x64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows 10 Version 2004 for 32-bit Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for x64-based Systems
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

Solution

Microsoft has released security patches for vulnerable systems. Affected users are strongly advised to install patch updates as soon as possible. For patch updates, please visit the following link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

Besides, it has provided the following mitigations:

  • Disable ICMPv6 RDNSS

You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the following PowerShell command. This workaround is only available for Windows 1709 and above.

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Note: No reboot is needed after making the change.

       You can disable the workaround with the following command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable

Note: No reboot is needed after disabling the workaround.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.