CISA: ‘Patch Wormable Bad Neighbor Windows TCP/IP Flaw Immediately’

by | Oct 28, 2020

Microsoft have made a new patch available to address a critical remove code execution flaw in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw is related to how the TCP/IP stack manages Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The flaw was given a CVSS v3 score of 9.8 out of a possible 10.

Even though all patches should be applied quickly to stop them being targeted, there is usually a delay between patches being made available and exploits being created and focused offensively against groups; however, due to the severity of the vulnerability and the simplicity at which it can be exploited, patching this vulnerability is even more important. So much so that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) used the Twitter platform to plea with all groups to apply the patch at once.

A hacker could target the flaw remotely in a Denial of Service attack, leading to a ‘blue screen of death’ system crash; however, exploitation could also permit the remote execution of arbitrary code on the susceptible systems. To taget the vulnerability, an unauthenticated hacker would only have to send specially crafted ICMPv6 Router Advertisement to a vulnerable Windows computer – a device running Windows 10 1709 to 2004, Windows Server versions 1903 to 2004, or Windows Server 2019.

Though there have been no known exploits of the vulnerability in the wild, the flaw will be a lucrative target for hackers. McAfee Labs reports that a proof-of-concept exploit for the flaw was shared with Microsoft Active Protection Program members that it reports is “extremely simple and perfectly reliable.”  Along with being being easy to exploit, the vulnerability is potentially wormable, so targeting one device could easily see all other vulnerable devices on the network similarly infiltrated.

McAfee Labs labelled the vulnerability “Bad Neighbor” as it lives in the ICMPv6 Neighbor Discovery “Protocol”, using the Router Advertisement type, and is due to the TCP/IP stack improperly managing ICMPv6 Router Advertisement packets that employ Option Type 25 (Recursive DNS Server Option) and a length field value that is even.

If a group is not in a position to patch the flaw immediately, mitigations need to be put in place to minimize the possibility for infiltration.

Microsoft advises system managers to turn off ICMPv6 RDNSS to stop exploitation. This can be achieved using a simple PowerShell command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

However, this option will turn off RA-based DNS configuration, so cannot be implemented on network infrastructure that depends on RA-based DNS configuration. Also, this mitigating stepis only effective on Windows 10 1709 and later versions.

Another solution would be to turn off ipv6 traffic on the NIC or at the network perimeter, but this is only possible if ipv6 traffic is not crucial.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy