3

CVE-2020-16898 is a remote code execution vulnerability caused by the improper handling of ICMPv6 Router Advertisement packets by Windows TCP/IP stack. Microsoft's recommended workaround is to disable ICMPv6 RDNSS component.

My question is: In my system, I already had TCP/IPv6 unchecked in my network adaptor options, is this an effective mitigation?

Remark 1: Common sense tells me that by disabling IPv6 in the adaptor, the upper layer problematic ICMPv6 RDNSS should not be able to receive maliciously crafted packets. But I cannot be sure, especially with all the fancy functions offered by IPv6, such as Teredo/4in6/ other tunneling methods. If there is any material indicating that this is indeed/not the case, please do share.

Remark 2: I have tested the PoC for causing BSoD (https://github.com/0xeb-bp/cve-2020-16898). The PoC does not work when IPv6 is disabled in adaptor settings. But no tunneling has been configured in my tests.

Remark 3: I know that IPv6 is an essential component for Windows, disabling it could cause components to stop working. But it had been disabled for a long time and I would like to keep it disabled.

kenlukas
  • 835
  • 6
  • 18
  • 3
    Apparently they released a security update. Why not install the update? – user253751 Oct 19 '20 at 10:08
  • Actually the situation is in an organizational setting. Forced update and reboot is interruptive to users and should be avoided, so I try to find an effective mitigation until all users have updated their machines. – Travis Madson Oct 20 '20 at 00:25
  • Note that *normally* router advertisements are only sent on the local network. They shouldn't go through routers. I don't know what happens in regards to this vulnerability if router advertisements *do* go through routers. I believe hosts are supposed to ignore ones that did, but perhaps they still trigger the vulnerability, or perhaps not. – user253751 Oct 20 '20 at 10:12

1 Answers1

2

Probably disabling all the IPv6 stack is not a good idea, specially if you have applications that use IPv6. On the other hand, you have the source code of a tool that can generate the issue, so my recommendation is to block that traffic on the host firewall if possible, other option will be disable RA packets, but that depends on your operating system. If you can not block the traffic probably the only option that you have is to disable the IPv6 stack.

camp0
  • 2,172
  • 1
  • 10
  • 10