This last Tuesday has come and gone and we are left with another high ranking vulnerability being patched by Microsoft during their monthly upkeep. CVE-2020-16898, aka “Bad Neighbor,” discloses an IPv6 vulnerability “which allows an attacker to send maliciously crafted packets to potentially execute arbitrary code on a remote system” according to Steve Povolny and Mark Bereza in a post at McAfee Labs.
Apparently the Windows TCP/IP stack has trouble when handling ICMPv6 Router Advertisement packets that make use of the Recursive DNS Server (RDNSS) Option. The Length field of this option needs to be not equal to a factor of 2. In other words it should be of value 3 or greater and be odd. If this is not the case, unpatched systems could result in a buffer overflow as the value mismatch is not compliant with RFC 8106. This is just a way of saying that data or instruction sets could be written into memory for execution.
Buffer overflow’s can lead to the creation of shell code to be executed by the target computer. This shell code could then be used to send malcrafted ICMPv6 data to adjacent unpatched computers within the network, turning this into a worm-able code. This can be subverted by updating to the latest patch from Microsoft, disabling IPv6, or disabling the RDNSS feature for IPv6. Even if you think that you are not proactively using IPv6 in your environment, it is often turned on automatically and remains this way until it is turned off.