CVE-2020-16898: Windows TCP/IP Remote Code Execution Vulnerability Alert

On October 13, 2020, Microsoft had issued a risk notice for a TCP/IP remote code execution vulnerability. The vulnerability number is CVE-2020-16875, the vulnerability level is critical. CVSS Score is 9.0 The remote attacker constructs a specially crafted ICMPv6 Router Advertisement packet and sends it to the remote Windows host to execute arbitrary code on the target host. The vulnerability detail has been revealed by the MacAfee team.

This critical security vulnerability is located in the Windows TCP/IP stack. The TCP/IP stack cannot properly handle ICMPv6 routing packets.

ICMP is the Internet Control Message Protocol. The Ping function we often use to test the server’s response time is the ICMP.

Microsoft said that when an attacker creates a specific ICMP v6 routing advertisement packet and sends it to the target computer, the vulnerability can be triggered and arbitrary code can be executed remotely.

The attacker exploits this vulnerability and does not require any interaction from the user. In theory, as long as the attacker knows the target IP, the vulnerability can be used to initiate an attack.

It is also true that the total CVSS score of this vulnerability is as high as 9.8/10 points. At present, Microsoft has corrected the TCP/IP processing packet through cumulative updates to solve the vulnerability.

Vulnerability Detail

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

Affected version

• Microsoft Window Server 2019, version 1903/1909/2004
• Microsoft Windows 10 version 1709/1803/1809/1903/1909/2004

Solution