Attacker Value
Very High
(3 users assessed)
Exploitability
Low
(3 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
22

CVE-2020-16898 aka Bad Neighbor / Ping of Death Redux

Disclosure Date: October 16, 2020
Exploited in the Wild
Reported by hacking4pancakes
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets, aka ‘Windows TCP/IP Remote Code Execution Vulnerability’.

Add Assessment

4
Ratings
Technical Analysis

Rating high based on Microsoft’s published information. No user interaction required, no authentication required, and allows RCE with crafted ICMPv6 router advertisement packet

General Information

Vendors

  • Microsoft

Products

  • Windows 10 Version 1803 for 32-bit Systems
  • Windows 10 Version 1803 for x64-based Systems
  • Windows 10 Version 1803 for ARM64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows Server, version 1909 (Server Core installation)
  • Windows 10 Version 1709 for 32-bit Systems
  • Windows 10 Version 1709 for x64-based Systems
  • Windows 10 Version 1709 for ARM64-based Systems
  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows 10 Version 2004 for 32-bit Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for x64-based Systems
  • Windows Server, version 2004 (Server Core installation)
Technical Analysis

Update October 16, 2020: Security company Quarkslab published an analysis and crash proof-of-concept (PoC) for CVE-2020-16898. The crash PoC has been verified by independent researchers.

Description

On Tuesday, October 13, as part of the October 2020 Patch Tuesday release, Microsoft published a security advisory for CVE-2020-16898, a remote code execution (RCE) vulnerability in the Windows TCP/IP stack. The vulnerability arises when the TCP/IP stack does not properly handle ICMPv6 Router Advertisement packets. Successful exploitation requires sending specially-crafted ICMPv6 Router Advertisement packets to a remote Windows computer and could give an attacker the ability to execute code on the target server or client. CVE-2020-16898 carries a CVSSv3 base score of 9.8.

There are no reports of exploitation in the wild as of October 13, 2020, though Microsoft’s advisory rates the vulnerability as “exploitation more likely.” The vulnerability has garnered broad attention as potentially wormable.

Security firm McAfee has a great technical analysis of CVE-2020-16898 available here, which we highly recommend reading. See below for our own analysis.

Affected products

  • Windows 10 Version 1709 for 32-bit Systems
  • Windows 10 Version 1709 for ARM64-based Systems
  • Windows 10 Version 1709 for x64-based Systems
  • Windows 10 Version 1803 for 32-bit Systems
  • Windows 10 Version 1803 for ARM64-based Systems
  • Windows 10 Version 1803 for x64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1903 for 32-bit System
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows 10 Version 2004 for 32-bit Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for x64-based Systems
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

Rapid7 analysis

Exploit development and weaponization of CVE-2020-16898 would be non-trivial. Security firms have been quick to point out that exploiting the vulnerability to crash a target system with a Blue Screen of Death (BSoD) is straightforward; while that’s a good coal-mine canary, a full exploit chain would require an additional primitive (e.g., an info leak) to function fully. Hypothetically, the “easiest” exploit chain might be one in which an attacker leverages a different vulnerability to obtain the randomized kernel base address and stack cookie to reliably exploit CVE-2020-16898.

In general, reproducing a crash is to code execution as the tip of the iceberg is to the whole: A crash is an important first step on the path to successful exploit development, but turning even the heartiest BSoD into reliable and weaponizable RCE is a significant technical hurdle, especially for vulnerabilities whose immediate exploitability is hampered by modern software stack mitigations (e.g., kernel ASLR). Overall, Rapid7 researchers hesitate to add our voices to the chorus of commentators insisting that exploits are a short way away.

The likelihood of reliable exploits for CVE-2020-16898 may be less important than the fact that a single maliciously-crafted packet has the potential to knock out an entire network segment, which is problematic even before considering the possibility of code execution on the target system.

Guidance

We recommend applying the patch for CVE-2020-16898 as soon as possible. For those who are unable to patch immediately, consider disabling ICMPv6 RDNSS as a workaround (only available for Windows 1709 and above) via the PowerShell command below:
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

See Microsoft’s advisory for further details. No reboot is needed after making the change.

McAfee’s threat detection team also has detection logic and a Suricata rule available here.