Ping of Death v2: Windows IPv6 Vulnerability (CVE-2020-16898/9)

Microsoft has released 11 Critical level patches during this Patch Tuesday (including the latest Adobe Flash security update). However, two of these vulnerabilities among those being patched seem to be a familiar type of attack as what we saw in 2013 when MS patched a bug in Windows’ TCP/IP driver. In that case, it was referred to as the “Ping of Death” vulnerability.

How It Works

The vulnerability lies in the way ICMP packets are handled by the TCP/IP stack when the IPv6 Recursive DNS option is used. As the team at Sophos states:

There is a logic flaw in tcpip.sys that can be exploited by crafting a router advertisement packet containing more data than expected, which results in the driver putting more bytes of data on its memory stack than provided for in the driver’s code, resulting in a buffer overflow. In theory, this could be used for both denial of service and remote code execution attacks. But in practice, achieving remote code execution would be extremely difficult.

At this point in time, there have been no known exploitations of this vulnerability, only proof of concept testing.

Who’s Affected & Mitigation

All Windows 10 version operating systems, as well as Windows Server 2019 and above are affected by this exploit

Mitigation for  CVE-2020-16898/9

The proper and recommended mitigation for these vulnerabilities would be to apply the Microsoft Security Patches offered for affected devices yesterday October 13, 2020.

Workaround:
You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the PowerShell command below. This workaround is only available for Windows 1709 and above.

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Note: No reboot is needed after making the change.

More Resources

• Microsoft CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability
• Sophos: Top Reason to Apply October 2020’s Microsoft Patches – Ping of Death Redux
• GitHub: CVE-2020-16898

Download Your Guide to Microsoft Security

To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.

In this guide, you’ll learn:

• How to use built-in Windows tools like System Monitor for advanced visibility into Windows server logs
• How to configure Group Policy Objects (GPOs) to give you a deeper look into your Windows environment
• Free, pre-configured tools from Blumira you can use to easily automate Windows logging to enhance detection & response
• What indicators of security threats you should be able to detect for Microsoft Azure and Office 365