In October 2020, Microsoft patched a set of vulnerabilities that included critical networking bugs CVE-2020-16898 and CVE-2020-16899. Known as “Bad Neighbor” or “Ping of Death Redux,” these flaws lurk in the TCP/IP networking implementation in Windows in how incoming ICMPv6 packets are handled under certain conditions.
Both CVE-2020-16898 and CVE-2020-16899 represent the Bad Neighbor vulnerability, however, the impact of CVE-2020-16898 is remote code execution, while for CVE-2020-16899 it is denial of service (DoS).
The flaw demands attention as it impacts even recent Windows 10 and Server versions, heavily in use in both enterprise and home environments. Moreover, multiple proof-of-concept (PoC) exploits for this vulnerability have sprung up on the internet.
What is Bad Neighbor?
Microsoft’s security advisory on the vulnerability is rather simplistic:
“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.”
The Bad Neighbor flaw stems from a buffer overflow that occurs because of how the TCP/IP stack is implemented in Windows. When ICMPv6 protocol is enabled, the implementation does not properly handle the router advertisement (RA) packets provided recursive DNS server (RDNSS) is also enabled.
This is because when both of these conditions apply, the ICMPv6 RA packets are expected to have five fields: type, length, reserved, lifetime and IPv6 RDNSS addresses with the length of the packet being an odd value, as specified by RFC 8106.
The reason for this is simple. The length value (which should be at least 3) is counted in increments of 8 bytes. The first four fields always take up 8 bytes. Considering the last field (IPv6 RDNSS addresses) can contain one or more IPv6 addresses that are 16 bytes each, the total size of a single RA packet is expected to be 24, 40, 56… (depending on how many IPv6 addresses are there).
Internet Engineering Task Force
An ICMPv6 packet structure with RDNSS option enabled
A length of 3 would imply that the total packet length is 24 bytes and contains just one IPv6 address. Consequently, the value provided for length should be 3, 5, 7 and so on.
If a crafted packet contains an even length value, it can result in a buffer overflow due to the packet being larger but touting itself to contain fewer bytes than it actually does. The resulting buffer overflow is bound to cause a DoS condition, but under certain conditions an unauthenticated remote attacker can exploit the flaw to also execute arbitrary code on the impacted system.
“To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 router advertisement packets to a remote Windows computer,” explains Microsoft’s security advisory on CVE-2020-16898.
What is Bad Neighbor’s potential impact?
Windows and Windows Server remain the most widely used operating systems across enterprise environments, including healthcare. Ransomware operators are targeting hospitals and healthcare facilities using a variety of attack vectors. In one case, a ransomware attack had caused a patient’s death.
Given the likelihood of this flaw being abused to target hospitals, UK’s National Health Service (NHS) released its own security advisory on Bad Neighbor. “Bad Neighbor is one of those vulnerabilities that is easy for people to dismiss as overblown because it currently only results in a blue screen crash,” says Rob Bathurst, CTO of Digitalware.
Bathurst says that ransomware operators can use this vulnerability as an attack vector to deliver their malicious kits and accelerate their activities on a compromised network. “That opinion, however, doesn't take into account the fact that the only way to protect yourself is by disabling IPv6, which on a modern or domain-joined computer is nearly impossible. This means that ransomware groups, once the vulnerability is weaponized, can leverage it against anyone with an affected OS that it can reach over a network. A weaponized version of this vulnerability capable [of installing] a ransomware kit could seriously increase the velocity of an infection after initial compromise.”
The Bad Neighbor vulnerability now has multiple PoC exploits available. which is why network administrators are encouraged to remediate this flaw immediately.
How to mitigate the Bad Neighbor vulnerability
Microsoft’s advisory recommends patching the Bad Neighbor vulnerability by applying the latest security updates. If updating is not possible, a workaround has also been provided for systems running Windows 10 version 1709 and above. The workaround comprises disabling the ICMPv6 RDNSS option by executing a simple PowerShell command. A system restart isn’t required for changes to take effect.netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
“The workaround disables RA-based DNS configuration. It is an alternative in networks where an IPv6 host's address is auto-configured through IPv6 stateless address auto-configuration where there is either no DHCPv6 infrastructure at all or some hosts do not have a DHCPv6 client,” said Microsoft’s advisory. “Windows still supports DHCPv6 and it takes precedence over 6106-based configuration.”
However, consult IT and networking administrators before applying these workarounds to ensure that the enterprise infrastructure is not relying on RA-based DNS configuration.
For SOC professionals, the following Suricata IDS rule can help with monitoring traffic for signs of a Bad Neighbor exploit in progress. The script cve-2020-16898.lua with related information is available from McAfee’s Advanced Threat Research team on GitHub.alert icmp any any -> any any (msg:"Potential CVE-2020-16898 Exploit"; lua:cve-2020-16898.lua; sid:202016898; rev:1;)
What makes remediation particularly challenging around Bad Neighbor is the tradeoff that might result from disabling the RDNSS feature of ICMPv6, in times when IPv6 continues to undergo widespread adoption.