Just in Time Bulletin: Bad Neighbor

What is “Bad Neighbor”? 

CVE-2020-16898, known as Bad Neighbor, is a critical vulnerability in the Windows IPv6 stack, which allows an attacker to send maliciously crafted packets to potentially execute arbitrary code on a remote system.

The proof-of-concept shared with MAPP (Microsoft Active Protection Program) members is both extremely simple and perfectly reliable. It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations. 

For ease of reference, the vulnerability was nicknamed “Bad Neighbor” because it is located within an ICMPv6 Neighbor Discovery “Protocol”, using the Router Advertisement type.

How bad is this? 

Active exploitation today: No Evidence

Severity: Critical

• authentication not required
• denial of service and remote code execution (potentially)
• results in system level privileges

This to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable. So a compromise could lead to significant service interruptions and the compromise of high level domain accounts.

Who is affected by this? 

• Windows 10 All versions
• Windows Server 2019
• Windows Server 2019 (Server Core Installation)
• Windows Server, Version 1903 (Server Core Installation)
• Windows Server, Version 1909 (Server Core Installation)
• Windows Server, Version 2004 (Server Core Installation)

How is it exploited? 

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

How do I protect myself? 

Microsoft has released patches to address Bad Neighbor for all the affected software versions & editions. Fix has been issued as a part of the Patch Tuesday on October 13th, 2020. 

Under what circumstances would I consider using a workaround?

If you aren’t about to install the patches right away, you can use this workaround: 

Disable ICMPv6 RDNSS.

You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the following PowerShell command. This workaround is only available for Windows 1709 and above. See What’s new in Windows Server 1709 for more information.

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Note: No reboot is needed after making the change.

Impact of Workaround

The workaround disables RA-based DNS configuration. It is an alternative in networks where an IPv6 host’s address is auto-configured through IPv6 stateless address auto-configuration where there is either no DHCPv6 infrastructure at all or some hosts do not have a DHCPv6 client. Windows still supports DHCPv6 and it takes precedence over 6106-based configuration.

Before applying the workaround, customers need to consult with their IT admin to confirm that their network infrastructure doesn’t rely on RA-based DNS configuration. Refer to RFC 8106 for further detail.

How to undo the workaround

You can disable the workaround with the following PowerShell:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable

Note: No reboot is needed after disabling the workaround.

Additional Resources: 

• Microsoft Security Advisory
• Mcafee