Businesses operating Windows and Windows Server 2019 are urged to address a critical vulnerability in the way the system handles Internet Control Message Protocol version 6 (ICMPv6) by applying the latest update released by Microsoft on 13 October 2020.
Impact
The remote code execution (RCE) flaw assigned CVE-2020-16898 could allow an attacker to execute code such as installing malware on a vulnerable system just by sending a malformed packet however, current proof of concepts (POC) were restricted to “denial of service” impacts.
Exploiting the vulnerability is also potentially made “wormable”, meaning it could spread across networks, because it is “located within an ICMPv6 Neighbor Discovery “Protocol”, using the Router Advertisement type”.
As Windows 10 is currently used by over 1 billion users and Windows Server 2019 is also very popular for server software, the impact of exploitation could be very widespread.
ICMP is used by network devices such as routers to send error messages and operational success or failure information to other connected devices.
While an exploit is not yet publicly available, it is likely that attackers are already working on their own exploits to deploy in real attacks against systems. Microsoft have reportedly shared a proof of concept (POC) exploit privately with its partners who assessed it to be very “reliable” and “simple”, although researchers have indicated it only results in a machine displaying the “Blue Screen of Death” and did not allow for code execution. At least one researcher noted that developing an exploit which allowed remote code execution may be difficult.
Detection
The exploitation attempts can be detected by examining incoming ICMPv6 traffic for Type field 134 (Router Advertisement) and an open ICMPv6 Option field 25 (Recursive DNS Server). If the RDNSS option has a length field which is even, it is likely an exploitation attempt and should be dropped or flagged.
McAfee have also released Suricata rules for detecting exploitation.
Mitigation
Applying the patch is the best course of action. Microsoft have announced an update to mitigate the risks associated with the vulnerability. Businesses running Windows 10 and Windows Server 2019 with IPv6 addresses are urged to prioritise applying the update.
If patching is not possible, dropping IPv6 is an alternative course of action, although should only be considered if IPv6 traffic is not essential to business operations. This can be achieved by disabling IPv6 at the perimeter or on the Network Interface Controller (NIC).
Researchers have noted that Windows native security tools such as Defender and the Windows Firewall did not block the Microsoft POC. It is also not known if the attack can be achieved by tunneling ICMPv6 traffic over IPv4. For this reason, blocking the traffic without patching is not without potential risks.