A critical security vulnerability was patched in Windows in October 2020’s Patch Tuesday. CVE-2020-16898 is a flaw discovered in IPv6 Router Advertisement Options also known as DNS RA options. The flaw resides in Windows TCP/IP stack, responsible for handling RA packets.
If the vulnerability is exploited, current attack scenarios include denial of service attacks, and the possibility of remote code execution. Unfortunately, CVE-2020-16898 affects multiple Windows versions, all of which support IPv6 RDNSS. The latter was added to the operating system starting with version 1709 of Windows 10, security researchers warn.
It is noteworthy that researchers have dubbed the flaw “Bad Neighbor”.
CVE-2020-16898 Bad Neighbour Vulnerability
According to McAfee, the most immense impact of the flaw concerns Windows 10 systems. With the help of Windows Updates, the good news is that the threat surface should be minimized in no time.
Shodan statistics show that the number of Windows Server 2019 machines with IPv6 addresses are not more than 1000. However, this data may not be reliable “because most servers are behind firewalls or hosted by Cloud Service Providers (CSPs) and not reachable directly via Shodan scans,” McAfee points out.
The researchers “believe the vulnerability can be detected with a simple heuristic that parses all incoming ICMPv6 traffic, looking for packets with an ICMPv6 Type field of 134 – indicating Router Advertisement – and an ICMPv6 Option field of 25 – indicating Recursive DNS Server (RDNSS).”
When the RDNSS option also has a length field value that is even, the heuristic would drop or flag the associated packet, as it is likely part of exploits attempt of CVE-2020-16898.
Mitigation against CVE-2020-16898
As for mitigation techniques, patching is mandatory and is the easiest way to protect against exploits. If a patch is not possible, you can disable IPv6 as a mitigation measure. Disabling it can be done either on the NIC or at the network’s perimeter to drop IPv6 traffic.
Also, you can block or drop ICMPv6 Router Advertisements at the network perimeter. Please note that Windows Defender and Windows Firewall fail to stop the proof-of-concept when enabled. The researchers are uncertain whether the attack can succeed by tunneling the ICMPv6 traffic over IPv4 via technologies such as 6to4 or Teredo.