The United States Cyber Command (USCYBERCOM) warns that users should apply the latest patches for Microsoft software to ensure they won’t fall victim to exploitation attempts.
The most important of these issues, US Cyber Command points out, is CVE-2020-16898, a critical bug in the Windows TCP/IP stack that can be triggered remotely to potentially achieve remote code execution on the victim machine.
While remote code execution might not be easy to achieve, Sophos has demonstrated how the vulnerability can be exploited to cause a Blue Screen of Death (BSoD), which is why the company has described it as a “Ping of Death” vulnerability.
Addressed on October 2020 Patch Tuesday, the flaw can be exploited through specially crafted ICMPv6 Router Advertisement packets sent to a vulnerable system, as these packets are not handled properly. Both Windows 10 and Windows Server are susceptible to exploitation.
“Update your Microsoft software now so your system isn’t exploited: CVE-2020-16898 in particular should be patched or mitigated immediately, as vulnerable systems could be compromised remotely,” USCYBERCOM says.
McAfee, which calls the vulnerability “Bad Neighbor” due to the fact that it is located within an ICMPv6 Neighbor Discovery Protocol, explains that consumer Windows 10 systems will likely be impacted the most, as there are only hundreds of Windows Server 2019 machines with IPv6 addresses.
“We believe this vulnerability can be detected with a simple heuristic that parses all incoming ICMPv6 traffic, looking for packets with an ICMPv6 Type field of 134 – indicating Router Advertisement – and an ICMPv6 Option field of 25 – indicating Recursive DNS Server (RDNSS). If this RDNSS option also has a length field value that is even, the heuristic would drop or flag the associated packet, as it is likely part of a ‘Bad Neighbor’ exploit attempt,” the security firm says.
On Tuesday, Microsoft released patches to address not only this flaw, but also CVE-2020-16899, a second bug in the TCP/IP driver, which could be abused to cause denial of service.
Users are advised to apply the available patches as soon as possible. If that’s not a viable option, available workarounds include disabling IPv6, or blocking or dropping ICMPv6 Router Advertisements at the network perimeter.
“Windows Defender and Windows Firewall fail to block the proof-of-concept when enabled. It is unknown yet if this attack can succeed by tunneling the ICMPv6 traffic over IPv4 using technologies like 6to4 or Teredo. Our efforts to repeat the attack in this manner have not been successful to date,” McAfee says.
Related: Microsoft Patches New Windows ‘Ping of Death’ Vulnerability
Related: Microsoft Patches Several Publicly Disclosed Windows Vulnerabilities
Related: Actively Exploited Windows Spoofing Flaw Patched Two Years After Disclosure
