Don’t You Be My Neighbor – Specially Crafted IPv6 Packet Causes Blue Screen of Death

Posted in: Resources » Cyber Heads-up

Overview:

On October 13, US-CERT and US Cyber Command issued a Tweet urging organizations and users to install updates released as part of Microsoft’s “Patch Tuesday” security and feature updates. This round of patches closes a particularly nasty vulnerability where a specially crafted IPv6 packet can induce a computer to crash and reveal the dreaded Blue Screen of Death (BSoD). Microsoft states that the CVE-2020-16898 bug, also known as ‘Bad Neighbor’, is a remote code execution (RCE) vulnerability in the Windows TCP/IP stack that can also be used to trigger a denial of service (DoS) leading to a BSoD.

Bad Neighbor impacts both client (Windows 10 versions 1709 up to 2004) and server (Windows Server version 1903 up to 2004 and Windows Server 2019) platforms, making it a critical vulnerability for all modern Windows environments.

Technical details are at the end of this post.

Assura’s Take:

The obvious remediation step is to patch your systems. Until that can be done, a mitigating step is to disable the ICMPv6 Recursive DNS Server option using the following PowerShell command  (no reboot is needed):

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

To re-enable ICMPv6 RDNSS once you applied the security update you have to use this PowerShell command (no reboot needed):

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable

If you aren’t running IPv6 in your environment, it’s best to disable it in your network settings. As Assura’s own Nick Berrie demonstrated at the recent Virginia Alliance for Secure Computing and Networking virtual conference, there are other risks of running IPv6 without taking certain proactive measures. Enterprises can do this through a Group Policy Object (GPO) in Active Directory Domain Service.

If you’re an Assura Virtual ISO or Managed SOC client, feel free to reach out to your point-of-contact for guidance relevant for your specific environment. As always, anyone can email us at [email protected].

Sincerely,

The Assura Team

Technical Details:

Sophos has created a video running Proof of Concept code to demonstrate how simple it is to exploit this vulnerability: