On October 13, 2020 Microsoft issued a security vulnerability notice - Windows TCP/IP Remote Code Execution Vulnerability. CVE-2020-16898 which affects Server 2019 and Windows 10.
From the notice:
"A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.
To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets."
This is an unauthenticated vulnerability meaning you don't need any credentials on the domain to exploit it. A security researcher named Adam wrote a Proof of Concept exploit in python. The write up is extremely detailed and walks you through his development. The blog is available here - CVE-2020-16898 – Exploiting “Bad Neighbor” vulnerability The python script needed to exploit the vulnerability is available on the blog.
Mitigation
Microsoft does not recommend completely disabling IPv6 to mitigate. As a workaround, they provide this netsh script
Disable ICMPv6 RDNSS
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
To find the interface number I found this Powershell script Enumerate IPv6 interfaces
The same GitHub has a script to disable RDNSS.
Example - I ran this from the Powershell ISE program:
PS C:\Windows\system32> Get-NetIPInterface -AddressFamily ipv6 | foreach{ [PSCustomObject]@{ "IfIndex" = (& netsh int ipv6 show int $_.ifIndex) -match 'IfIndex' -replace "ifindex\s*:","" | Out-String "RFC" = (& netsh int ipv6 show int $_.ifIndex) -match '(RFC 6106)' -replace "RA Based DNS Config \(RFC 6106\)\s*:","" | Out-String } } IfIndex RFC ------- --- 5... enable... 6... enable... 1... enable... PS C:\Windows\system32> netsh int ipv6 set int 5 rabaseddnsconfig=disable Ok.
Mitigation using a Cisco network switch
If you are using Cisco switches in your environment you can use the following to mitigate. I show this in the video.
From global configuration mode:
- SW1(config)#ipv6 nd inspection policy policy-name HOST-POLICY
- SW1(config-nd-inspection)#device-role host
From interface configuration mode
- SW1(config)#int gig0/1
- SW1(config-if)#ipv6 nd raguard attach-policy HOST-POLICY
Verify
SW1#sh ipv6 nd raguard policy HOST-POLICY
Policy RAGUARD configuration:
device-role host
Policy HOST-POLICY is applied on the following targets:
Target Type Policy Feature Target range
Gi0/1 PORT RAGUARD RA guard vlan all
Mitigation using an Aruba switch running Provision software
In this example, an Aruba 5412 switch is used
sw2(config)# ipv6 ra-guard ports i1 logWatch Bad Neighbor in action
I made a 2-minute video showing a Windows 2019 server blue screening when Adam's script is run against the server. After showing the blue screen I enable ra guard on a cisco switch and rerun the script. This prevents the blue screen. Here is a link to the video - Bad Neighbor cve 2020 16898.
Juniper network devices
Juniper has announced that JunOS is vulnerable under certain conditions. Here is their bulletin:
2020-10 Security Bulletin: Junos OS:
References
CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability - A detailed write up by Johannes Ulrich of SANS.
ZEEK package to detect Bad Neighbor
There Goes The Neighborhood - Rapid 7 blog on Bad Neighborhood
