[New Blog] Credential Harvesting Made Easy

Randori Attack Team Notes Vulnerability Analysis: CVE-2020-16898 (Bad Neighbor)

Randori Attack Team

Executive Summary

Microsoft released a series of patches on Tuesday October 13th, 2020 [1] addressing multiple vulnerabilities in the Windows 10 and Server 2019 network stacks. The highest risk addressed by this patch set is a vulnerability described by CVE-2020-16898, which details a buffer overflow attack over ICMPv6 Router Advertisement packets. 

While patching is still prudent. Currently, the only evidence proving this vulnerability’s exploitability show the attack results in a denial of service (BSoD or blue screen of death) against a target. Only video based proof of concepts have been released, and no remote code execution has been shown in these videos.

Tempering expectations, the type of packet used in this attack is only accessible on to the link-local (non routed) IPv6 address space and existing protections in the Windows Operating system are being reported as making code execution unlikely [2]. However, this vulnerability is of concern, due to the fact if an attacker can write memory past their allocated buffers, there is always the potential that the attack could be weaponized to execute arbitrary code on the target [2][3]. 

Impact

This vulnerability is reported as impacting current versions of the Windows Operating System (Windows 10 and Windows Server 2019) and it is unknown if older versions of Windows are affected or not. 

The vulnerability utilizes functionality in IPv6 for Neighbor Discovery, which should only be accessible by other systems on the same local network. 

It is being widely reported in headlines that this is a remote code execution attack, however the same articles stipulate that “achieving remote code execution would be extremely difficult.” [2] 

Recommendation/Remediation

The official remediation is to apply the patch set provided by Microsoft which requires a system restart

A work around is also available by disabling ICMPv6 RDNSS on the affected systems. No reboot will be necessary, this may be the best option for system administrators who are unable to apply patches at this time. 

Here is the powershell command to disable ICMPv6 RDNSS: [1]

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

When you are able to apply the patch , you can re-enable ICMPv6 RDNSS  with the following powershell command: [1]

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable

A Suricata ruleset has been made available publicly on Mcaffe’s Advanced Threat Research GitHub at https://github.com/advanced-threat-research/CVE-2020-16898 [4]. This ruleset detects malformed ICMPv6 Router Advertisement  packets with Recursive DNS lookups.

Analysis

Analyzing the information provided for this attack we know it utilizes IPv6 ICMP packets that are Router Advertisements with Recursive DNS Server data in them. This is covered in rfc4861[5] “Neighbor Discovery for IPv6” and rfc8106 “IPv6 Router Advertisement Options for DNS Configuration” section 5.1

Based on the write ups, I suspect the Windows ICMPv6 stack is accepting Router Advertisement packets with the attack payloads stuffed into the RDNSS (Recursive DNS server) server list.

Since the protocol in question (ICMPv6 RAs) is meant for local network and neighbor discovery, this attack would likely need to be performed on the same local area network as the target host(s). 

We are waiting for code based proof of concepts to help clarify the risk. From what we know, if this attack can be performed with just ICMPv6 RA packets, it would be high risk for large flat networks where many hosts are peers to one another. An attack would likely result in widespread Denial of Service on the windows hosts on that local network. If evidence shows it is possible for simple remote code execution with these packets, then it could be used as a self-propagating worm, and the severity of that attack would be considerably high. We are still awaiting further evidence and example proof of concepts. 

Further Information & Reference Links

  1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898 
  2. https://news.sophos.com/en-us/2020/10/13/top-reason-to-apply-october-2020s-microsoft-patches-ping-of-death-redux/ 
  3. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/
  4. https://github.com/advanced-threat-research/CVE-2020-16898
  5. https://tools.ietf.org/html/rfc4861