Windows Vulnerability - CVE-2020-16898

October 15, 2020

Summary

A serious vulnerability exists in the Windows TCP/IP network stack [1,2].  Currently, it is known that this vulnerability can be used to trigger a Denial of Service (DoS) event, however, Microsoft and others are warning that it may also be possible to remotely execute code.

An attacker can exploit this vulnerability by sending a crafted ICMPv6 Router Advertisement to the target system. The vulnerability does not require authentication or user-interaction.

Impact

An attacker who successfully exploits this vulnerability can cause the computer to either experience a Blue Screen of Death (BSOD) or execute arbitrary code on the target system. If code execution is achieved, an attacker could then install programs; view, change, or delete data; or create new accounts. [1]

Current Mitigations

  • The systems protected by the Palo Alto firewalls should be protected by the Vulnerability profiles.
  • Windows servers managed by the Windows Team have already been protected using local firewall blocks.
  • Systems using BigFix for patch management are being patched automatically and the patch will be implimented at restart.

Vulnerable

  • Microsoft Windows 10 Version 1709 and later
  • Microsoft Windows Server 2019

Recommendations

  •  If you can patch the vulnerability, please do so.
  •  If immediate patching is not an option or is not feasible because of Covid-19 restrictions, see the references below for a workaround.
  • Priority should first focus on Internet-facing systems, then Campus network-facing systems, and finally any systems that are internal or restricted to trusted IP addresses. All vulnerable systems should be patched or have the workaround applied.
  • Notify security@berkeley.edu if you anticipate any delays.

References