October 25, 2020

CVE-2020-16898: Windows TCP/IP Remote Code Execution Vulnerability Alert

2 min read
On October 13, 2020, Microsoft had issued a risk notice for a TCP/IP remote code execution vulnerability. The vulnerability number is CVE-2020-16875, the vulnerability level is critical. CVSS Score is 9.0 The remote attacker constructs a specially crafted ICMPv6 Router Advertisement packet and sends it to the remote Windows host to execute arbitrary code on the target host. The vulnerability detail has been revealed by the MacAfee team.

Windows zero day flaws

This critical security vulnerability is located in the Windows TCP/IP stack. The TCP/IP stack cannot properly handle ICMPv6 routing packets.

ICMP is the Internet Control Message Protocol. The Ping function we often use to test the server’s response time is the ICMP.

Microsoft said that when an attacker creates a specific ICMP v6 routing advertisement packet and sends it to the target computer, the vulnerability can be triggered and arbitrary code can be executed remotely.

The attacker exploits this vulnerability and does not require any interaction from the user. In theory, as long as the attacker knows the target IP, the vulnerability can be used to initiate an attack.

It is also true that the total CVSS score of this vulnerability is as high as 9.8/10 points. At present, Microsoft has corrected the TCP/IP processing packet through cumulative updates to solve the vulnerability.

Vulnerability Detail

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

Affected version

  • Microsoft Window Server 2019, version 1903/1909/2004
  • Microsoft Windows 10 version 1709/1803/1809/1903/1909/2004

Solution

In this regard, we recommend that users upgrade Windows to the latest version in time.
Temporary repair suggestions

Disable ICMPv6 RDNSS.

You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the PowerShell command below. This workaround is only available for Windows 1709 and above. See What’s new in Windows Server 1709 for more information.

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Note: No reboot is needed after making the change.

You can disable the workaround with the PowerShell command below.

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable

Note: No reboot is needed after disabling the workaround.