What you need to know about "Bad Neighbor" - CVE-2020-16898 - CVE-2020-1656
Why the sky is not falling and at the same time why you shouldn't ignore CVE-2020-16898 and CVE-2020-1656
What is “Bad Neighbor”?
The one key takeaway is that this is a remote code execution vulnerabioity. “Bad Neighbor” is a vulnerability in the Microsoft Windows TCP/IP stack, more precisely in the way ICMPv6 Router Advertisment packets are being handled. If exploited through a maliciously crafted packet, an attacker could gain the capability to execute arbitrary code on a remote system.
CVE-2020-16898 has a CVSSv3 score of 9.8
Another reason why so many people are talking about this vulnerability is due to the fact that it can be made wormable, this means that if weaponised, an infected machine can infect another vulnerable machine on the network.
Microsoft Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
What impact can this cause?
As of now, just a few days after Microsoft patch Tuesday, there are only experiments and PoC code available that can cause a crash (Blue Screen of Death). This is not to exclude that a fully functional exploit will not surface in the near future. Windows 10 and Server 2019 are affected by this vulnerability.
I don’t use IPv6 therefore I’m not affected…
This is the bad part where some may think they don’t use IPv6, this is a wrong assumption. IPv6 is enabled on most of the modern operating systems and has been for quite a while. Maybe this is a good time for people to start to review their network design plans for IPv6, as this is certainly not the last time that we’ll hear about IPv6.
What's next?
Patch, patch, patch! There are a couple of compensating controls that you need to be aware of, but this does not mean that you don’t have to patch anymore. Rapid7 have made a note on a PowerShell script that can be used to disable ICMPv6 Recursive DNS Server (RDNSS)
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disableAs a second option, you can check if your perimeter firewall drops IPv6 packets and also validate if you actually make use of IPv6. In this case the attack vector will be limited to this being exploited within the internal network, behind the firewall. A couple of detection scripts are already available for:
- Suricata – https://github.com/advanced-threat-research/CVE-2020-16898
- Snort – https://www.snort.org/rule_docs/1-55984
- Zeek – https://github.com/corelight/CVE-2020-16898
There is also the PoC code that can trigger the crash: cve-2020-16898-aka-bad-neighbor-ping-of-death-redux
Further reading
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/
- https://blog.rapid7.com/2020/10/14/there-goes-the-neighborhood-dealing-with-cve-2020-16898-a-k-a-bad-neighbor/
- https://hothardware.com/news/bad-neighbor-exploit-2020
- Technical deep dive: beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html
