Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA

On October 2020 Patch Tuesday, Microsoft released a patch to correct a critical remove code execution vulnerability in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw concerns how the TCP/IP stack handles Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The flaw was assigned a CVSS v3 score of 9.8 out of 10.

While all patches should be applied promptly to prevent exploitation, there is usually a delay between patches being released and exploits being developed and used offensively against organizations; however, due to the severity of the flaw and the ease at which it can be exploited, patching this vulnerability is especially important. So much so that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) took to Twitter to urge all organizations to apply the patch immediately.

An attacker could exploit the flaw remotely in a Denial of Service attack, resulting in a ‘blue screen of death’ system crash; however, exploitation could also allow the remote execution of arbitrary code on the vulnerable systems. To exploit the flaw, an unauthenticated hacker need only send specially crafted ICMPv6 Router Advertisement to a vulnerable Windows computer – A device running Windows 10 1709 to 2004, Windows Server versions 1903 to 2004, or Windows Server 2019.

While there have been no known exploits of the vulnerability in the wild, the flaw will be attractive to hackers. McAfee Labs reports that a proof-of-concept exploit for the flaw was sent to Microsoft Active Protection Program members that it reports is “extremely simple and perfectly reliable.”  In addition to being easy to exploit, the vulnerability is potentially wormable, so attacking one device could easily see all other vulnerable devices on the network similarly compromised.

McAfee Labs nicknamed the vulnerability “Bad Neighbor” as it resides in the ICMPv6 Neighbor Discovery “Protocol”, using the Router Advertisement type, and is due to the TCP/IP stack improperly handling ICMPv6 Router Advertisement packets that use Option Type 25 (Recursive DNS Server Option) and a length field value that is even.

If it is not possible to patch immediately, mitigations need to be implemented to reduce the potential for exploitation.

Microsoft recommends administrators disable ICMPv6 RDNSS to prevent exploitation. This can be achieved using a simple PowerShell command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

However, this option will disable RA-based DNS configuration, so cannot be used on network infrastructure that relies on RA-based DNS configuration. Also, this mitigating measure is only effective on Windows 10 1709 and later versions.

Alternatively, it is possible to prevent exploitation by disabling ipv6 traffic on the NIC or at the network perimeter, but this is only possible if ipv6 traffic is not essential.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.