October 15, 2020
Summary
A serious vulnerability exists in the Windows TCP/IP network stack [1,2]. Currently, it is known that this vulnerability can be used to trigger a Denial of Service (DoS) event, however, Microsoft and others are warning that it may also be possible to remotely execute code.
An attacker can exploit this vulnerability by sending a crafted ICMPv6 Router Advertisement to the target system. The vulnerability does not require authentication or user-interaction.
Impact
An attacker who successfully exploits this vulnerability can cause the computer to either experience a Blue Screen of Death (BSOD) or execute arbitrary code on the target system. If code execution is achieved, an attacker could then install programs; view, change, or delete data; or create new accounts. [1]
Current Mitigations
- The systems protected by the Palo Alto firewalls should be protected by the Vulnerability profiles.
- Windows servers managed by the Windows Team have already been protected using local firewall blocks.
- Systems using BigFix for patch management are being patched automatically and the patch will be implimented at restart.
Vulnerable
- Microsoft Windows 10 Version 1709 and later
- Microsoft Windows Server 2019
Recommendations
- If you can patch the vulnerability, please do so.
- If immediate patching is not an option or is not feasible because of Covid-19 restrictions, see the references below for a workaround.
- Priority should first focus on Internet-facing systems, then Campus network-facing systems, and finally any systems that are internal or restricted to trusted IP addresses. All vulnerable systems should be patched or have the workaround applied.
- Notify security@berkeley.edu if you anticipate any delays.