Skip to main content

Bad Neighbour ICMPv6 Remote Code Execution Vulnerability

Buffer overflow in the Windows network stack
Threat ID:
CC-3638
Category:
Exploit
Threat Severity:
Medium
Published:
15 October 2020
Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Bad Neighbour is a DoS and potential RCE vulnerability affecting Windows 10 and Windows Server. There are several public exploits, including one provided by Microsoft, that are able to crash affected systems, however none have been able to achieve RCE.

Affected platforms

The following platforms are known to be affected:
  • Windows 10 Versions: 1709 (for 32-bit, x64, and ARM64), 1803 (for 32-bit, x64, and ARM64), 1809 (for 32-bit, x64, and ARM64), 1903 (for 32-bit, x64, and ARM64), 1909 (for 32-bit, x64, and ARM64), 2004 (for 32-bit, x64, and ARM64)
  • Microsoft Windows Server Versions: 2019 and 2019 Server Core, 1903 Server Core, 1909 Server Core, 2004 Server Core

Threat details

Introduction

Microsoft has released details of a buffer overflow vulnerability, called Bad Neighbour (or Ping of Death Redux), affecting Windows 10 and Windows Server. They claim that an unauthenticated attacker could exploit this vulnerability to gain remote code execution (RCE) capability on affected systems.

Vulnerability Details

Bad Neighbour appears to be the result of an implementation error in the Windows TCP/IP stack when handling Internet Control Message Protocol version 6 (IMCPv6) Router Advertisement packets with Recursive DNS Server (RDNSS) option enabled. Packets using this option contain five fields: type, length, reserved, lifetime, and addresses of IPv6 RDNS servers; and when properly formed should always have an odd value length field of at least 3.

ICMPv6 Router Advertisement packets with non-complaint (i.e. even value) length fields cause the TCP/IP stack to incorrectly handle the packet, which results in a buffer overflow within the stack causing a denial-of-service (DoS) condition of the affected system or a potential RCE.

Remediation advice

Affected organisations are encouraged to review the following Microsoft security update guide and apply the relevant updates.

Organisations unable to apply updates should consider implementing the following mitigation:

  • Disable IPv6, either on Network Interface Cards or at the network perimeter, if it is not required.
  • Block or drop ICMPv6 Router Advertisement packets at the network perimeter.
  • Disable ICMPv6 RDNSS using the below PowerShell command. Please note that this workaround is only available on Windows 10 1709 and later.

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Remediation steps

Type Step
Patch

CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.


https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

Definitive source of threat updates

CVE Vulnerabilities

  • CVE-2020-16898
    Status: Reserved

    ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Last edited: 16 October 2020 12:58 pm