from Hacker News

CVE-2020-16898 – Windows TCP/IP Remote Code Execution Vulnerability

by marksamman on 10/13/20, 5:52 PM with 20 comments

  • by mrpippy on 10/13/20, 6:58 PM

    Sophos says achieving RCE is extremely difficult: https://news.sophos.com/en-us/2020/10/13/top-reason-to-apply...

    I also assume that routers won't pass ICMPv6 RAs, so limited to a single network segment. And, only affects Windows 10.

  • by Pick-A-Hill2019 on 10/14/20, 8:34 PM

    While true that it is extremely difficult to exploit (especially given the uptake of IPv6) there are some POC samples out there but I disagree with the severity rating awarded.

    The 'juicy details' are as follows -

        The validity of DNS options is checked with the Length field; that is, the value of the Length field in the RDNSS option is greater than or equal to the minimum value (3) and satisfies the requirement that (Length - 1) % 2 == 0. When an even length value is provided, the Windows TCP/IP stack incorrectly advances the network buffer by an amount that is 8 bytes too few.
    (Note: Only relates to IPv6 Router Advertisement packets that use Option Type 25 (Recursive DNS Server Option) and a length field value that is even).

  • by goalieca on 10/13/20, 6:43 PM

    This is wormable. Ready your patches!

  • by nullc on 10/13/20, 10:08 PM

    Anyone have lists of suggested filters for L3 switches and access points to block this traffic?

    If I had a campus network of windows hosts I'd be very concerned about this!

  • by NikolaeVarius on 10/13/20, 7:49 PM

    "While Shodan.io shouldn’t be counted on as a definitive source, our best queries put the number of Windows Server 2019 machines with IPv6 addresses is in the hundreds, not exceeding approximately 1000. This is likely because most servers are behind firewalls or hosted by Cloud Service Providers (CSPs) and not reachable directly via Shodan scans."

    High priority issue, but I dont think we will see some massive wave of outages.

  • by dublin on 10/14/20, 4:15 PM

    It would be nice to know if this vulnerability is avoided by simply disabling IPv6, since almost no one uses v6 on LANs anyway.