Microsoft has released 11 Critical level patches during this Patch Tuesday (including the latest Adobe Flash security update). However, two of these vulnerabilities among those being patched seem to be a familiar type of attack as what we saw in 2013 when MS patched a bug in Windows’ TCP/IP driver. In that case, it was referred to as the “Ping of Death” vulnerability.
The vulnerability lies in the way ICMP packets are handled by the TCP/IP stack when the IPv6 Recursive DNS option is used. As the team at Sophos states:
There is a logic flaw in tcpip.sys that can be exploited by crafting a router advertisement packet containing more data than expected, which results in the driver putting more bytes of data on its memory stack than provided for in the driver’s code, resulting in a buffer overflow. In theory, this could be used for both denial of service and remote code execution attacks. But in practice, achieving remote code execution would be extremely difficult.
At this point in time, there have been no known exploitations of this vulnerability, only proof of concept testing.
All Windows 10 version operating systems, as well as Windows Server 2019 and above are affected by this exploit
The proper and recommended mitigation for these vulnerabilities would be to apply the Microsoft Security Patches offered for affected devices yesterday October 13, 2020.
Workaround:
You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the PowerShell command below. This workaround is only available for Windows 1709 and above.
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
Note: No reboot is needed after making the change.
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.
In this guide, you’ll learn: