On October 13, 2020, Microsoft issued an alert for a remote code execution vulnerability that exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. Attackers can exploit this vulnerability to gain the ability to execute code on target servers or clients. Microsoft has rated the CVE-2020-16898 vulnerability as critical and provided monthly security patches to fix the vulnerability.

Detected vulnerability

  • Vulnerability number: CVE-2020-16898
  • Vulnerability severity: critical
  • Affected versions:
    • Windows Server 2019
    • Windows Server 2019 (Server Core installation)
    • Windows Server, version 1903 (Server Core installation)
    • Windows Server, version 1909 (Server Core installation)
    • Windows Server, version 2004 (Server Core installation)

Details

A remote code execution vulnerability (CVE-2020-16898) exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. To exploit this vulnerability, an attacker would only need to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The remote attacker does not need to get into contact with the target computer or obtain the corresponding permissions. The attacker can implement remote code execution (RCE) by sending attack data packets to the target computer. No exploits of the vulnerability have been disclosed.

Security suggestions

Install the patch for the CVE-2020-16898 vulnerability as soon as possible.

Solutions

You can use one of the following solutions to fix the vulnerability:
  • Go to the Microsoft official website to download the corresponding patch. For more information, visit CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability.
  • You can detect and fix the vulnerability in the Windows system vulnerabilities module of Alibaba Cloud Security Center. For more information, see View and handle vulnerabilities.
  • You can disable ICMPv6 RDNSS to mitigate the risk.
    You can run the following PowerShell command to disable ICMPv6 RDNSS to prevent attackers from exploiting the vulnerability. This solution is applicable only to Windows 1709 or later.
    netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
    Note After ICMPv6 RDNSS is disabled, you do not need to restart your computer for the modification to take effect.
    You can also run the following PowerShell command to enable ICMPv6 RDNSS again. However, this will leave your computer vulnerable to attack again.
    netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable
    Note After ICMPv6 RDNSS is enabled, you do not need to restart your computer for the modification to take effect.

Announcing party

Alibaba Cloud Computing Co., Ltd.