Multiple vulnerabilities were addressed in Microsoft Patch Tuesday, October 2020. This blog discusses the most critical one out of them – CVE-2020-16898, which makes TCP/IP driver of Windows vulnerable. It eventually causes Denial of Service (DoS) and is said to be a potential Remote Code Execution (RCE), if mixed with other exploits. This CVE is termed as highly critical by Microsoft.
As per the Microsoft advisory, “A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.”
IPv6 router advertisement packet with a RDNSS (Recursive DNS Server) option, if crafted well, can remotely trigger tcpip.sys file of Windows OS, leading to a DoS attack. The vulnerability occurs due to parsing ICMP messages incorrectly by tcpip.sys driver. The logical flaw in tcpip.sys is that it can be exploited into buffer overflow by adding more bytes to memory stack than available on its driver’s code, by sending a crafted router advertisement packet. This results in Blue Screen of Death (BSoD) and is likely to be exploited on Windows 10 and Windows Server 2019. As the vulnerability lies within the router advertisement packet of ICMPv6 Neighbor Discovery Protocol, it is also known as “Bad Neighbor”.
This buffer overflow resulting in RCE is not as easily possible as the driver file is complied with GS buffer, which is on by default. Additional factors that prevent direct RCE is the Stack canary as well as kernel Address Space Layout Randomization (kASLR).
Affected Products:
- Windows 10 Version 1709 for 32-bit Systems
- Windows 10 Version 1709 for ARM64-based Systems
- Windows 10 Version 1709 for x64-based Systems
- Windows 10 Version 1803 for 32-bit Systems
- Windows 10 Version 1803 for ARM64-based Systems
- Windows 10 Version 1803 for x64-based Systems
- Windows 10 Version 1809 for 32-bit Systems
- Windows 10 Version 1809 for ARM64-based Systems
- Windows 10 Version 1809 for x64-based Systems
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows 10 Version 2004 for 32-bit Systems
- Windows 10 Version 2004 for ARM64-based Systems
- Windows 10 Version 2004 for x64-based Systems
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
- Windows Server, version 2004 (Server Core installation)
Advisory
Windows TCP/IP Remote Code Execution Vulnerability – CVE-2020-16898
Mitigations
As per the advisory, the following mitigations should be done apart from patching the installments:
- Disable ICMPv6 RDNSS. (only available for Windows 1709 and above.)
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
- Additionally, ICMPv6 Router Advertisements can be blocked or dropped at the network perimeter.
Workaround/Mitigation Detection
Qualys Policy Compliance customers can evaluate workaround based on following Control through CloudAgent
19571 Status of the ‘RA Based DNS Config (RFC 6106)’ parameter of network interface
Qualys Detection
Qualys customers can scan their network with QID 91686 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References
https://github.com/advanced-threat-research/CVE-2020-16898
https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-5
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
https://docs.microsoft.com/en-us/cpp/build/reference/gs-buffer-security-check?view=vs-2019
https://en.wikipedia.org/wiki/Address_space_layout_randomization