[English]Administrators and users should promptly install the security updates for Windows 10 and its server counterparts from October 13, 2020. Then the TCP/IP vulnerability CVE-2020-16898 ('Bad Neighbor') will be closed. US-CERT explicitly warns about this vulnerability.
Advertising
The vulnerability CVE-2020-16898
The vulnerability CVE-2020-16898 was disclosed by Microsoft in a security advisory on October 13, 2020. It is a remote code execution (RCE) vulnerability in Microsoft's Windows TCP/IP implementation. Microsoft writes about it in the security advisory:
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.
To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
Microsoft has now lowered the CVSS rating from 9.8 to 8.8 because the vulnerability is not routable over the Internet, as reported here by colleagues from Bleeping Computer.
US-CERT warns – Exploits available – patch now
Last Friday (October 15, 2020), US-CERT Cyber Command posted a warning on Twitter, that people should patch the CVE-2020-16898 vulnerability.
McAfee published a detailed description of the vulnerability on October 13. A further analysis can be found on the Quarkslab blog. As of October 16, 2020 there was this post about how to use an exploit for the vulnerability (references here and here). So it is time to fix this vulnerability. Microsoft claims that virtually all Windows 10 builds, as well as their Windows Server counterparts, are affected. In the support articles for the October 2020 security updates the vulnerability CVE-2020-16898 or the fix is not explicitly mentioned so far (see also Patchday: Windows 10 updates (October 13, 2020)). Bleeping Computer has published an article with hints to mitigate the bug:
Advertising
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
using the above command – suitable, if a patch can't be installed immediately.