CVE-2020-16898: Windows TCP/IP Remote Code Execution Vulnerability Alert
This critical security vulnerability is located in the Windows TCP/IP stack. The TCP/IP stack cannot properly handle ICMPv6 routing packets.
ICMP is the Internet Control Message Protocol. The Ping function we often use to test the server’s response time is the ICMP.
Microsoft said that when an attacker creates a specific ICMP v6 routing advertisement packet and sends it to the target computer, the vulnerability can be triggered and arbitrary code can be executed remotely.
The attacker exploits this vulnerability and does not require any interaction from the user. In theory, as long as the attacker knows the target IP, the vulnerability can be used to initiate an attack.
It is also true that the total CVSS score of this vulnerability is as high as 9.8/10 points. At present, Microsoft has corrected the TCP/IP processing packet through cumulative updates to solve the vulnerability.
Vulnerability Detail
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.
To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
Affected version
- Microsoft Window Server 2019, version 1903/1909/2004
- Microsoft Windows 10 version 1709/1803/1809/1903/1909/2004
Solution
Disable ICMPv6 RDNSS.
You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the PowerShell command below. This workaround is only available for Windows 1709 and above. See What’s new in Windows Server 1709 for more information.
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disableNote: No reboot is needed after making the change.
You can disable the workaround with the PowerShell command below.
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enableNote: No reboot is needed after disabling the workaround.