A new & potentially wormable remote code execution vulnerability in the Windows TCP/IP stack was patched this week.
The bug, a critical remote code execution vulnerability in Windows 10 & Windows Server 2019, ‘could be exploited by sending a packet to a vulnerable machine.
This vulnerability, which is being referred to as “Bad Neighbour” & “Ping of Death Redux” by some, was one of 11 critical remote code execution bugs fixed by the company on Tuesday as part of the company’s monthly Patch Tuesday event.
The bug results from an issue with Windows TCP/IP stack, i.e. the fact that it improperly handles ICMPv6 router advertisement packets. ICMPv6 is a part of IPv6 that performs error reporting & diagnostic functions.
Router Advertisements are messages generated by IPv6 routers to advertise their presence with link and Internet parameters. Here, simply sending a specially crafted packet could lead to code execution on a vulnerable system, something which in turn could likely lead to elevated privileges.
There are no mitigations says Microsoft but there are workarounds, including outright disabling ICMPv6 RDNSS, & Microsoft instructs how to do so via a PowerShell command on Windows 1709 systems & above, that should theoretically prevent attackers from exploiting the vulnerability.
Government agencies including the US Computer Emergency Readiness Team – part of CISA – and US Cyber Command encouraged administrators to update any Microsoft software as soon as possible to prevent a remote compromise.
‘Blue Screen of Death’
While there is no evidence the vulnerability has been exploited in the wild so far, several proof-of-concepts for the vulnerability, some which result in an immediate ‘Blue Screen of Death’, or BSOD, do exist.
The vulnerability is very similar to another 2013 vulnerability (CVE-2013-3183) in Windows TCP/IP stack, an IPv6 version of the ‘Ping of Death’ attack that resulted in a denial of service – hence the Redux name, in which malformed ICMPv6 packets weren’t processed correctly.