There Goes The Neighborhood: Dealing # With CVE-2020-16898 (a.k.a. “Bad Neighbor”)

by Bob Rudis

If you’re in the U.S. and were waiting for an “October surprise”, look no further than CVE-2020-16898 which is a remote code execution (RCE) vulnerability in the Windows TCP/IP stack, or what our own Tod Beardsley likes to call “exploiting poor implementations of core IETF RFCs”.

The vulnerability arises when the TCP/IP stack does not properly handle ICMPv6 Router Advertisement packets. Successful exploitation requires sending specially-crafted ICMPv6 Router Advertisement packets to a remote Windows computer and could give an attacker the ability to execute code on the target server or client. CVE-2020-16898 carries a CVSSv3 base score of 9.8.

Our talented crew of Rapid7 vulnerability researchers have a technichal analysis up on AttackerKB, and security firm McAfee has their own technical analysis of CVE-2020-16898 available here, which we recommend reading. Their research and engineering teams note that the Microsoft-provided exploit is “both extremely simple and perfectly reliable[, and] results in an immediate [Blue Screen of Death] (BSoD)”.

Before we go any further, we would like to strongly encourage you to patch this vulnerability if you are running Windows 10, Windows Server 2019, or Windows Server Core 1903, 1909, or 2004. You really don’t want to mess around when the word “wormable” is being used and so many eyes are on the non-BSOD prize of a fully-working RCE. If you cannot patch, consider disabling ICMPv6 Recursive DNS Server (RDNSS) as a workaround (which is, unfortunately, only available for Windows 1709 and above) via the PowerShell command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

More Like “Slightly Annoying Neighbors” (For Now)

As noted above, there are many folks who have access to the known BSoD exploit and scads more burning through cases of Mountain Dew to try to replicate the BSoD on their own (which is a common first step when attempting to get a repeatable remote code execution exploit to work). Weaponizing this and other BSoD=>RCE bugs is not exactly trivial, especially on modern operating systems like the ones impacted by this weakness.

In the short term (and, possibly long term) you should be more wary of disruption and distraction campaigns using this weakness, especially since IPv6 is very likely running on your internal network (where Bad Neighbor attacks are really most likely to occur) without you being aware of it.

What More Can You Do?

See Microsoft’s advisory for further details and keep an eye on the AttackerKB Bad Neighbor topic.

Defenders may also find the detection logic and a available Suricata rule (courtesy of McAfee’s threat detection team) quite useful.

Don’t be equally surprised in November, December, January, or any of the other calendar months. You and your organization should really be prepared to have between 1-5 critical “patch now” events each month for the foreseeable future. That may seem disruptive, but the spate of critical bugs in core business and remote access technologies has become the new normal and the only way to handle it is to make it part of the plan.