In Microsoft’s October 2020 Patch-Tuesday release, a remote code execution vulnerability CVE-2020-16898 was disclosed. The vulnerability is wormable and does not require any user interaction. The proof-of-concept code for crashing the victim system is available publicly and the vulnerability could soon be weaponized by malicious actors. The CloudPassage Halo cloud security platform identifies which servers are vulnerable. Below are instructions as to how to find the Microsoft TCP/IP Vulnerability and fix it.
The vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets and an attacker who successfully exploits this vulnerability could gain the ability to execute code on the target server or client.
To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.
Vulnerability Identification for CVE-2020-16898
The first step in managing risk from this vulnerability is to identify all assets in your environment. In ServerSecure, this simply requires a search for CVE-2020-16898:
The Package Health view displays the status of all of the software packages on the server at the time of the most recent scan. If you want to view results from a different scan, click the Data as of drop-down to select a different date. By default, the data in the list is sorted by criticality.
The graphic summary displays the following information:
Packages by Result: Displays the total count of software packages on the server by scan result and criticality: Vulnerable (critical), Vulnerable (non-critical), or OK (no vulnerabilities detected). You can click any part of the graphic or any count to filter the view according to your selection.
Vulnerable Packages by Remote Exploitability: Displays the total count of vulnerable packages on the server according to how many of those vulnerabilities are remotely exploitable. You can click any part of the graphic or any count to filter the view according to your selection.
CVEs by CVSS Severity: Displays the total count of CVEs on the server by CVSS v3 severity levels: Critical, High, Medium, and Low
If the server you are viewing has a Windows operating system, then a KBs Installed subtab displays in the Server Details > Software view. Here, you can see the KBs that are installed on the selected server by install date. In the screen capture, you can observe that KB4577668 is not installed.
Vulnerability Mitigation for CVE-2020-16898
We recommend installing the patch immediately to any vulnerable systems. If that is not possible, the next best option is to follow the Microsoft workaround to disable ICMPv6 RDNSS.
Workaround: How to Disable ICMPv6 RDNSS
You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the PowerShell command:
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
You can disable the workaround with the PowerShell command:
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable
Note: No reboot is needed after making the change.
The Windows TCP/IP vulnerability CVE-2020-16898 has PoC exploit code available for denial of service. The vulnerability could be soon weaponized by malicious actors. Organizations should consider immediately identifying vulnerable assets and proceed with patching or workarounds.
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.