CISA: ‘Patch Wormable Bad Neighbor Windows TCP/IP Flaw Immediately’

Microsoft have made a new patch available to address a critical remove code execution flaw in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw is related to how the TCP/IP stack manages Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The flaw was given a CVSS v3 score of 9.8 out of a possible 10.

Even though all patches should be applied quickly to stop them being targeted, there is usually a delay between patches being made available and exploits being created and focused offensively against groups; however, due to the severity of the vulnerability and the simplicity at which it can be exploited, patching this vulnerability is even more important. So much so that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) used the Twitter platform to plea with all groups to apply the patch at once.

A hacker could target the flaw remotely in a Denial of Service attack, leading to a ‘blue screen of death’ system crash; however, exploitation could also permit the remote execution of arbitrary code on the susceptible systems. To taget the vulnerability, an unauthenticated hacker would only have to send specially crafted ICMPv6 Router Advertisement to a vulnerable Windows computer – a device running Windows 10 1709 to 2004, Windows Server versions 1903 to 2004, or Windows Server 2019.

Though there have been no known exploits of the vulnerability in the wild, the flaw will be a lucrative target for hackers. McAfee Labs reports that a proof-of-concept exploit for the flaw was shared with Microsoft Active Protection Program members that it reports is “extremely simple and perfectly reliable.”  Along with being being easy to exploit, the vulnerability is potentially wormable, so targeting one device could easily see all other vulnerable devices on the network similarly infiltrated.

McAfee Labs labelled the vulnerability “Bad Neighbor” as it lives in the ICMPv6 Neighbor Discovery “Protocol”, using the Router Advertisement type, and is due to the TCP/IP stack improperly managing ICMPv6 Router Advertisement packets that employ Option Type 25 (Recursive DNS Server Option) and a length field value that is even.

If a group is not in a position to patch the flaw immediately, mitigations need to be put in place to minimize the possibility for infiltration.

Microsoft advises system managers to turn off ICMPv6 RDNSS to stop exploitation. This can be achieved using a simple PowerShell command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

However, this option will turn off RA-based DNS configuration, so cannot be implemented on network infrastructure that depends on RA-based DNS configuration. Also, this mitigating stepis only effective on Windows 10 1709 and later versions.

Another solution would be to turn off ipv6 traffic on the NIC or at the network perimeter, but this is only possible if ipv6 traffic is not crucial.