CVE-2020-16898 – Bad Neighbor
SIEM Content Packages
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.
An attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer to exploit this vulnerability.
The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets. (Microsoft)
MITRE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16898
CVSS Score: 9.8
We strongly recommend disabling IPV6 on all end devices if the IPV6 protocol is not in use because it’s vulnerable to many attacks.
More information below:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ipv6
Otherwise, we recommend patching your hosts and servers to this vulnerability.
Here’s the link for MSRC to download the relevant KB:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
A little bit about the process:
Because the process is performed on top of the TCP \ IPV6 protocol, it is highly advisable to implement it in real-time detection if possible using IDS \ IPS such as Suricata.
McAfee team has built a rule that can be applied to Suricata – link below:
https://github.com/advanced-threat-research/CVE-2020-16898
Technical Details:
We have tested the vulnerability using this POC:
After running the attack, the target device got a bluescreen, and after the restart, the following event log was written:
External ID: 1001
Where the event data contains the values “BlueScreen” and “tcpip!Ipv6pHandleRouterAdvertisement”
We built content packages based on this data to identify this exploit.
Note that this event was created after the DoS using this exploit (1001 related to bluescreen). To detect the RCE, we recommend using the Suricata project we shared in this post – because analyzing the network traffic is needed in this case.
Affected Windows Versions:
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for x64-based Systems
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
Before installing the packages:
Ensure collecting the event log 1001 from the network’s devices by using WEF.
Collecting the logs only from DC will not be enough.
Note that event 1001 is an Application event – most SIEM systems only collect the security events, so make sure to configure it as well.
Download:
Our packages are available in these links – and will be frequently updated
Github:
https://github.com/cyray/Cyray-IR/tree/master/CVE-2020-16898_Bad_Neighbor
Or download directly from this site:
ArcSight:
QRadar:
Installation
ArcSight Package
We added a mapping file for the relevant windows logs and changed the resources package to match.
The file is available for download from the same path as the .arb package – named winc.zip.
Unzip the file and locate the folder using this path:
\current\user\agent\fcp\
If the ‘winc’ directory already exists, add only the files that do not exist.
0
123
0
