CISA Warns Companies to Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Vulnerability Immediately

On October 2020 Patch Tuesday, Microsoft issued a patch to resolve a critical remove code execution vulnerability found in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw is brought on by the method TCP/IP stack deals with Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The vulnerability was designated a CVSS v3 score of 9.8 out of 10.

Although all patches must be employed quickly to protect against exploitation, there is commonly a difference between the issuance of patches and the development of exploits for use offensively against companies; nevertheless, as a result of the severity of the vulnerability and the convenience at which to exploit it, patching this vulnerability is primarily essential. To the point that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) used Twitter to encourage all institutions to implement the patch without delay.

An attacker can take advantage of the vulnerability wirelessly in a Denial of Service attack, creating a ‘blue screen of death’ system crash; additionally, exploitation may enable the wireless execution of arbitrary code on the unsecured systems. To manipulate the vulnerability, an unauthenticated attacker only need to transmit uniquely designed ICMPv6 Router Advertisement to an unsecured Windows computer that is operating on Windows Server versions 1903 to 2004, Windows Server 2019 or
Windows 10 1709 to 2004.

Although there were no acknowledged exploits of the vulnerability in the wild, the vulnerability is going to be alluring to attackers. McAfee Labs said that a proof-of-concept exploit for the vulnerability was delivered to Microsoft Active Protection Program members stating it is “extremely simple and perfectly reliable.” Aside from being simple to exploit, the vulnerability is most likely wormable, thus attacking one system can readily see all the vulnerable units on the network compromised in the same manner.

McAfee Labs also referred to the vulnerability “Bad Neighbor” since it is hanging out in the ICMPv6 Neighbor Discovery “Protocol”, employing the Router Advertisement type, and is a result of the TCP/IP stack erroneously managing ICMPv6 Router Advertisement packets that employ Option Type 25 (Recursive DNS Server Option) and a length field value that is even.

If it isn’t able to patch quickly, mitigations should be carried out to lessen the opportunity for exploitation.

Microsoft urges administrators to deactivate ICMPv6 RDNSS to avoid exploitation. This could be done by using a basic PowerShell command:

netsh int ipv6 set int INTERFACENUMBER rabaseddnsconfig=disable

Nevertheless, this solution will turn off RA-based DNS configuration, hence could not be applied on network infrastructure that is based on RA-based DNS setup. In addition, this mitigating step is merely beneficial on Windows 10 1709 and newer versions.

Otherwise, it is likely to avert exploitation by turning off ipv6 traffic on the NIC or at the network perimeter, nevertheless, this is just achievable if ipv6 traffic is not important.