- Product
Product Overview
Sophisticated security with unmatched simplicityCloud SIEM
Pre-configured detections across your environmentHoneypots
Deception technology to detect lateral movementEndpoint Visibility
Real-time monitoring with added detection & responseSecurity Reports
Data visualizations, compliance reports, and executive summariesAutomated Response
Detect, prioritize, and neutralize threats around the clockIntegrations
Cloud, on-prem, and open API connectionsXDR Platform
A complete view to identify risk, and things operational
- Pricing
- Why Blumira
Why Blumira
The Security Operations platform IT teams loveWatch A Demo
See Blumira in action and how it builds operational resilienceUse Cases
A unified security solution for every challengePricing
Unlimited data and predictable pricing structureCompany
Our human-centered approach to cybersecurityCompare Blumira
Find out how Blumira stacks up to similar security toolsIntegrations
Cloud, on-prem, and open API connectionsCustomer Stories
Learn how others like you found success with Blumira
- Solutions
- Partners
- Resources
October 14, 2020
Microsoft has released 11 Critical level patches during this Patch Tuesday (including the latest Adobe Flash security update). However, two of these vulnerabilities among those being patched seem to be a familiar type of attack as what we saw in 2013 when MS patched a bug in Windows’ TCP/IP driver. In that case, it was referred to as the “Ping of Death” vulnerability.
How It Works
The vulnerability lies in the way ICMP packets are handled by the TCP/IP stack when the IPv6 Recursive DNS option is used. As the team at Sophos states:
There is a logic flaw in tcpip.sys that can be exploited by crafting a router advertisement packet containing more data than expected, which results in the driver putting more bytes of data on its memory stack than provided for in the driver’s code, resulting in a buffer overflow. In theory, this could be used for both denial of service and remote code execution attacks. But in practice, achieving remote code execution would be extremely difficult.
At this point in time, there have been no known exploitations of this vulnerability, only proof of concept testing.
Who’s Affected & Mitigation
All Windows 10 version operating systems, as well as Windows Server 2019 and above are affected by this exploit
Mitigation for CVE-2020-16898/9
The proper and recommended mitigation for these vulnerabilities would be to apply the Microsoft Security Patches offered for affected devices yesterday October 13, 2020.
Workaround:
You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the PowerShell command below. This workaround is only available for Windows 1709 and above.
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
Note: No reboot is needed after making the change.
More Resources
- Microsoft CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability
- Sophos: Top Reason to Apply October 2020’s Microsoft Patches – Ping of Death Redux
- GitHub: CVE-2020-16898
Download Your Guide to Microsoft Security
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.
In this guide, you’ll learn:
- How to use built-in Windows tools like System Monitor for advanced visibility into Windows server logs
- How to configure Group Policy Objects (GPOs) to give you a deeper look into your Windows environment
- Free, pre-configured tools from Blumira you can use to easily automate Windows logging to enhance detection & response
- What indicators of security threats you should be able to detect for Microsoft Azure and Office 365
More from the blog
View All Posts
Security Trends and Info
9 min read
| July 24, 2025
Critical Microsoft SharePoint Server vulnerability allows unauthorized code execution
Read More
Security Alerts
6 min read
| July 1, 2024
New Unauthenticated Remote Code Execution Flaw Identified in OpenSSH Server
Read More
Security Alerts
5 min read
| April 12, 2024
CVE-2024-3400: Palo Alto Vulnerabilities in GlobalProtect Gateway Lead to RCE
Read More