Sunday, October 25, 2020

Bad Neighbor cve-2020-16898

On October 13, 2020 Microsoft issued a security vulnerability notice - Windows TCP/IP Remote Code Execution Vulnerability. CVE-2020-16898 which affects Server 2019 and Windows 10.

From the notice:

"A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets."

This is an unauthenticated vulnerability meaning you don't need any credentials on the domain to exploit it. A security researcher named Adam wrote a Proof of Concept exploit in python. The write up is extremely detailed and walks you through his development. The blog is available here - CVE-2020-16898 – Exploiting “Bad Neighbor” vulnerability The python script needed to exploit the vulnerability is available on the blog.


Microsoft does not recommend completely disabling IPv6 to mitigate. As a workaround, they provide this netsh script

Disable ICMPv6 RDNSS

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

To find the interface number I found this Powershell script Enumerate IPv6 interfaces

The same GitHub has a script to disable RDNSS.

Example - I ran this from the Powershell ISE program:

PS C:\Windows\system32> Get-NetIPInterface -AddressFamily ipv6 | foreach{
        "IfIndex"   = (& netsh int ipv6 show int $_.ifIndex) -match 'IfIndex' -replace "ifindex\s*:","" | Out-String
        "RFC"   = (& netsh int ipv6 show int $_.ifIndex) -match '(RFC 6106)' -replace "RA Based DNS Config \(RFC 6106\)\s*:","" | Out-String

IfIndex RFC       
------- ---       
 5...    enable...
 6...    enable...
 1...    enable...

PS C:\Windows\system32> netsh int ipv6 set int 5 rabaseddnsconfig=disable

Mitigation using a Cisco network switch

If you are using Cisco switches in your environment you can use the following to mitigate. I show this in the video.

From global configuration mode:

  • SW1(config)#ipv6 nd inspection policy policy-name HOST-POLICY
  • SW1(config-nd-inspection)#device-role host
Note: host is the default role so you don't have to enter the device-role.

From interface configuration mode

  • SW1(config)#int gig0/1
  • SW1(config-if)#ipv6 nd raguard attach-policy HOST-POLICY


SW1#sh ipv6 nd raguard policy HOST-POLICY

Policy RAGUARD configuration:

device-role host

Policy HOST-POLICY is applied on the following targets:

Target               Type Policy               Feature       Target range

Gi0/1               PORT RAGUARD            RA guard       vlan all

Mitigation using an Aruba switch running Provision software

In this example, an Aruba 5412 switch is used

sw2(config)# ipv6 ra-guard ports i1 log

sw2# show ipv6 ra-guard | exclude  No    0

 IPv6 RA Guard Information

  Port  Block RAs Blocked Redirs Blocked Log
  ----- ----- ----------- -------------- ---
  I1    Yes   0           0              Yes

Watch Bad Neighbor in action

I made a 2-minute video showing a Windows 2019 server blue screening when Adam's script is run against the server. After showing the blue screen I enable ra guard on a cisco switch and rerun the script. This prevents the blue screen. Here is a link to the video - Bad Neighbor cve 2020 16898

Juniper network devices

Juniper has announced that JunOS is vulnerable under certain conditions. Here is their bulletin:

2020-10 Security Bulletin: Junos OS:


CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability - A detailed write up by Johannes Ulrich of SANS.

Cisco RA Guard blog

MITRE CVE for 2020-16898

ZEEK package to detect Bad Neighbor

There Goes The Neighborhood - Rapid 7 blog on Bad Neighborhood

No comments:

Post a Comment