Microsoft has released 11 Critical level patches during this Patch Tuesday (including the latest Adobe Flash security update). However, two of these vulnerabilities among those being patched seem to be a familiar type of attack as what we saw in 2013 when MS patched a bug in Windows’ TCP/IP driver. In that case, it was referred to as the “Ping of Death” vulnerability.
How It Works
The vulnerability lies in the way ICMP packets are handled by the TCP/IP stack when the IPv6 Recursive DNS option is used. As the team at Sophos states:
There is a logic flaw in tcpip.sys that can be exploited by crafting a router advertisement packet containing more data than expected, which results in the driver putting more bytes of data on its memory stack than provided for in the driver’s code, resulting in a buffer overflow. In theory, this could be used for both denial of service and remote code execution attacks. But in practice, achieving remote code execution would be extremely difficult.
At this point in time, there have been no known exploitations of this vulnerability, only proof of concept testing.
Who’s Affected & Mitigation
All Windows 10 version operating systems, as well as Windows Server 2019 and above are affected by this exploit
Mitigation for CVE-2020-16898/9
The proper and recommended mitigation for these vulnerabilities would be to apply the Microsoft Security Patches offered for affected devices yesterday October 13, 2020.
Workaround:
You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the PowerShell command below. This workaround is only available for Windows 1709 and above.
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
Note: No reboot is needed after making the change.
More Resources
- Microsoft CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability
- Sophos: Top Reason to Apply October 2020’s Microsoft Patches – Ping of Death Redux
- GitHub: CVE-2020-16898
Download Your Guide to Microsoft Security
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.
In this guide, you’ll learn:
- How to use built-in Windows tools like System Monitor for advanced visibility into Windows server logs
- How to configure Group Policy Objects (GPOs) to give you a deeper look into your Windows environment
- Free, pre-configured tools from Blumira you can use to easily automate Windows logging to enhance detection & response
- What indicators of security threats you should be able to detect for Microsoft Azure and Office 365
Amanda Berlin
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
More from the blog
View All PostsNew Unauthenticated Remote Code Execution Flaw Identified in OpenSSH Server
Read MoreCVE-2024-3400: Palo Alto Vulnerabilities in GlobalProtect Gateway Lead to RCE
Read MoreCVE-2024-3094: xz-utils (liblzma) Backdoor
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.