Microsoft has released a patch for a critical remote code execution vulnerability in Windows 10 and Windows Server 2019 that can be exploited by sending one packet to a vulnerable machine.
While the vulnerability (CVE-2020-16898) is simple to exploit and could result in a full compromise of a target machine, there are some mitigating factors, specifically the fact that it exists in the Windows IPv6 stack and not the IPv4 stack. So, disabling IPv6 if it's not in use is the quickest mitigation. There is a proof-of-concept exploit for the bug that has been shared with members of Microsoft’s Active Protection Program, but Microsoft said in its advisory that the vulnerability has not been exploited in the wild yet to its knowledge,
“It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations. The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable,” Steve Povolny and Mark Bereza of McAfee Advanced Threat Research said in an analysis of the flaw.
The flaw is reminiscent of the “ping of death” bug that plagued the TCP/IP implementations in many Windows, Unix, and Linux systems. Like the newer one, it could be exploited with a simple malformed ICMP packet and it was used in DDoS attacks quite often. And this isn’t the first such flaw to affect the Windows IPv6 stack, either. In 2013 Microsoft patched a similar bug, but it only allowed a denial-of-service rather than remote code execution.
The Microsoft advisory for CVE-2020-16898 is short and to the point, but it makes it clear that this vulnerability would not be a hard target for many attackers. MIcrosoft’s Platform Security Assurance and Vulnerability Research team discovered the vulnerability.
“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client,” the advisory says.
“To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.”
McAfee’s researchers said that the softest targets for attackers are likely individual consumer machines rather than enterprise servers and laptops.
“The largest impact here will be to consumers on Windows 10 machines, though with Windows Updates the threat surface is likely to be quickly minimized,” they said.
The SophosLabs Offensive Security team has a detailed teardown of the vulnerability and also developed its own proof-of-concept exploit.