The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Microsoft Fixes Critical TCP/IP Vulnerability

by Chris Brook on Wednesday October 14, 2020

Contact Us
Free Demo
Chat

A new, potentially wormable remote code execution vulnerability in the Windows TCP/IP stack was patched this week.

Microsoft fixed 87 vulnerabilities across 11 different products this week but the one you're likely going to keep hearing about - and the one it can be argued merits the most attention - is CVE-2020-16898.

The bug, a critical remote code execution vulnerability in Windows 10 and Windows Server 2019, could be exploited by sending a packet to a vulnerable machine.

The vulnerability, which is already being referred to as “Bad Neighbor” and “Ping of Death Redux” in some circles was one of 11 critical remote code execution bugs fixed by the company on Tuesday as part of the company's monthly Patch Tuesday event.

The bug stems from an issue with Windows TCP/IP stack, specifically the fact that it improperly handles ICMPv6 router advertisement packets. ICMPv6 is a part of IPv6 that performs error reporting and diagnostic functions. Router Advertisements are messages generated by IPv6 routers to advertise their presence with link and Internet parameters. In this case, simply sending a specially crafted packet could lead to code execution on a vulnerable system, something which in turn could likely lead to elevated privileges.

There are no mitigations according to Microsoft but there are workarounds, including outright disabling ICMPv6 RDNSS - Microsoft instructs how to do so via a PowerShell command on Windows 1709 systems and above – that should theoretically prevent attackers from exploiting the vulnerability.

Government agencies including the United States Computer Emergency Readiness Team - part of CISA - and U.S. Cyber Command encouraged administrators to update any Microsoft software as soon as possible to prevent a remote compromise.

While there’s no evidence the vulnerability has been exploited in the wild yet, several proof-of-concepts for the vulnerability, some which result in an immediate Blue Screen of Death, or BSOD, exist.

The vulnerability sounds remarkably similar to another vulnerability from 2013 (CVE-2013-3183) in Windows TCP/IP stack, an IPv6 version of the Ping of Death attack that resulted in a denial of service - hence the Redux name, in which malformed ICMPv6 packets weren't processed correctly. 

 

Tags: Vulnerabilities

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.