Getty Images/iStockphoto

CISA Urges Patch of Windows Remote Code Execution TCP/IP Flaw, DoS Risk

US Cyber Command took to Twitter to urge organizations to immediately apply a Microsoft-issued patch for a critical remote code execution flaw in Windows TCP/IP, which poses a DoS risk.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency urged all organizations to apply the patch for a remote code execution (RCE) vulnerability found in Microsoft Windows Transmission Control Protocol (TCP)/IP stack handing Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. 

US Cyber Command took to Twitter to warn organizations to immediately apply the software update to avoid a system exploit, as vulnerable systems can be remotely exploited. 

Microsoft released the patch along with 86 other security vulnerabilities this month, 11 of which were ranked critical. The CVE-2020-16898 bug was ranked a severity rating of 9.8 out of 10 and exists in the way the TCP/IP stack handles the ICMPv6 router packets. 

A hacker could successfully exploit the flaw to gain the ability to execute code on the victim’s server or client, including the ability to launch a denial of service (DoS) attack that would result in a ‘Blue Screen of Death’ (BSoD). 

To accomplish this, an attacker would only need to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The vulnerability is found in client versions of Windows 10 1709 up to 2004, as well as server versions 1903 up to 2004 and Windows Server 2019. 

The critical vulnerability has not yet been publicly exploited. However, McAfee Labs reported that there is already a proof-of-concept provided to Microsoft Active Protection Program members by the tech giant, which is “both extremely simple and perfectly reliable.” 

“It results in an immediate BSoD, but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations,” researchers explained. “The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable.”  

“For ease of reference, we nicknamed the vulnerability ‘Bad Neighbor’ because it is located within an ICMPv6 Neighbor Discovery ''Protocol,’ using the Router Advertisement type,” they added. “It is likely that a memory leak or information disclosure bug in the Windows kernel would be required in order to build a full exploit chain for this vulnerability. Despite this, we expect to see working exploits in the very near future.” 

To McAfee, Windows 10 users will see the largest impact, but the flaw can be readily detected with a simple heuristic used to parse incoming ICMPv6 traffic. Administrators should look for packets with the ICMPv6 Type field of 134, which indicates the Router Advertisement, as well as an ICMPv6 Option field of 25, an indicator of Recursive DNS Server (RDNSS).  

If the RDNSS option has an even length field value, McAfee researchers explained the heuristic would flag or drop an associated packet “as it is likely part of a ‘Bad Neighbor’ exploit attempt.” 

Researchers, Microsoft, CISA, and US Cyber Command all warn that the software update should be immediately applied. If that’s not possible, Microsoft recommended administrators disable the ICMPv6 RDNSS to prevent hackers from exploiting the flaw using a simple PowerShell command, as a workaround. But the workaround is only available for Windows 1709 and above.  

McAfee noted IPv6 can also be disable either on the NIC or at the perimeter of the network by dropping ipv6 traffic if it is non-essential.  

“ICMPv6 Router Advertisements can be blocked or dropped at the network perimeter,” McAfee researchers explained. “Windows Defender and Windows Firewall fail to block the proof-of-concept when enabled. It is unknown yet if this attack can succeed by tunneling the ICMPv6 traffic over IPv4 using technologies like 6to4 or Teredo.” 

As previous Microsoft research found there’s a massive effort of hackers scanning the internet in wide-ranging efforts in search of vulnerable endpoints, it’s crucial healthcare organizations apply the software update or at least the workaround as soon as possible. 

“The lack of basic security hygiene in any given ecosystem continues to enable cybercriminals to use well-known vulnerabilities—or new variants of them—to exploit their environments,” Microsoft recently explained.

Next Steps

Dig Deeper on Cybersecurity strategies