CISA Urges Organizations to Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Vulnerability Now

On October 2020 Patch Tuesday, Microsoft launched a patch to fix a critical remove code execution vulnerability identified in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The vulnerability is caused by the way TCP/IP stack handles Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The vulnerability was given a CVSS v3 rating of 9.8 out of 10.

Even though all patches ought to be used immediately to avoid exploitation, there is normally a time gap between the release of patches and the creation of exploits for use defensively against companies; nonetheless, because of the vulnerability’s severity and the easiness at which to exploit it, patching this flaw is particularly necessary. That is why the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) employed Twitter to advise all institutions to use the patch right away.

An attacker can take advantage of the vulnerability via the network in a Denial of Service attack, producing a ‘blue screen of death’ system crash; further, exploitation may permit the remote execution of arbitrary code on the vulnerable systems. To take advantage of the vulnerability, an unauthenticated hacker just needs to deliver an especially created ICMPv6 Router Advertisement to a vulnerable Windows computer that is using Windows Server versions 1903 to 2004, Windows 10 1709 to 2004, or Windows Server 2019.

Though there were no identified vulnerability exploits in the wild, the vulnerability will be appealing to cybercriminals. McAfee Labs stated that a proof-of-concept exploit for the vulnerability was provided to Microsoft Active Protection Program members saying it is “extremely simple and perfectly reliable.” Besides being straightforward to exploit, the vulnerability is possibly wormable, therefore attacking one unit could quickly see all other vulnerable gadgets on the network compromised in the same way.

McAfee Labs also called the vulnerability “Bad Neighbor” because it is located in the ICMPv6 Neighbor Discovery “Protocol”, utilizing the Router Advertisement type, and is caused by the TCP/IP stack incorrectly processing ICMPv6 Router Advertisement packets that utilize Option Type 25 (Recursive DNS Server Option) and a length field value that is an even number.

If it’s not ready to patch right away, mitigations must be enforced to minimize the possibilities for exploitation.

Microsoft advocates administrators to deactivate ICMPv6 RDNSS to avoid exploitation. This may be accomplished utilizing a straightforward PowerShell command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

But, this alternative will turn off RA-based DNS configuration, and so can’t be employed on network infrastructure that depends on RA-based DNS configuration. Furthermore, this mitigating action is just useful on Windows 10 1709, and more recent versions.

On the other hand, it is possible to avert exploitation by deactivating ipv6 traffic on the NIC or at the network perimeter, however, this is solely feasible if ipv6 traffic is not necessary.