US Cyber Command warns Microsoft users about ‘Bad Neighbor’ TCP/IP bug
The patch for the exploitable CVE-2020-16898 vulnerability is available. Microsoft addressed this vulnerability and released back on Tuesday this month.
The CVE-2020-16898 bug, also known as ‘Bad Neighbor’ is remote code execution vulnerability in Windows TCP/IP stalk that can be used to trigger denial of service (DoS) attack that leads to a Blue screen Death (BSOD).
Warning about this possible danger to Microsoft users, US Cyber Command said, in a tweet earlier today,
“Update your Microsoft software now so your system isn’t exploited: CVE-2020-16898 in particular should be patched or mitigated immediately, as vulnerable systems could be compromised remotely,”
The unauthorized attackers exploit the said vulnerability by sending a crafted ICMPv6 Router Advertisement packet to the target computer.
According to McAfee Labs’ post, Microsoft has already shared a proof-of-concept (POC) with MAPP members.
“The proof-of-concept shared with MAPP (Microsoft Active Protection Program) members is both extremely simple and perfectly reliable,” McAfee Labs said.
“It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations.”
Based on the provided details, Sophos, a British security firm has already been able to create a Dos PoC which is causing the BSOD on the vulnerable Windows 10 and Windows server devices.
It is not surprising if the threat actors will create their own DoS exploits. While developing the Dos POC causing BSODs would be reasonably easy, creating a RCP exploit is not. AS SophosLab explains, remote code execution requires successful bypass of the stack canaries and kernel Address Space Layout Randomization.
“Even so, the threat of denial of service at will with a relatively easily-crafted packet should be enough by itself to prompt rapid patching—which is the only real fix for this vulnerability,” Sophos added.
Microsoft advises the users who can’t install the update to disable the ICMPv6 Recursive DNS Server (RDNSS) option by running the following command on Windows 1709 and above:
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
To re-enable the ICMPv6 RDNSS after the security update:
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable
However, this is just a short term fix and you should update to the latest security update to mitigate the vulnerability and protect vulnerable system.