ADVISORY: Apply Microsoft Update for "Bad Neighbor" Bug
The information below was sent to U-M IT groups on October 15, 2020. It is intended for U-M IT staff who are responsible for university devices or servers running Windows 10, versions 1709 up to 2004, or Windows Server, versions 1903 to 2004 and version 2019. It is also intended for individuals who use Windows 10 on their own computers.
A vulnerability has been discovered in Windows 10 and Windows Server that could allow for remote code execution. Microsoft has released updates, which should be applied as soon as possible after appropriate testing.
According to Microsoft, a remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.
- Windows 10, versions 1709 up to 2004
- Windows Server, versions 1903 to 2004
- Windows Server 2019
Apply the updates provided by Microsoft as soon as possible after appropriate testing. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). While alternative mitigation options do exist, IA recommends prioritizing patching as opposed to relying on the workaround that utilizes “netsh.”
In order to exploit this vulnerability, an attacker would need to send specially crafted ICMPv6v Router Advertisement packets. According to Bleeping Computer, British security firm Sophos has used a proof-of-concept from Microsoft to create a denial of service POC that causes a BSOD (Blue Screen of Death) on any vulnerable Windows 10 or Windows Server devices. While remote code execution is believed to be possible, it may take some time for reliable remote code execution exploits to be developed and currently the most significant threat is denial of service. As of October 15, 2020, IA is not aware of reports of exploitation in the wild, though Microsoft rates the vulnerability as “exploitation more likely.”
How We Protect U-M
MiWorkspace machines will be updated after appropriate testing.
Information for Users
If you have Windows 10 installed on your own computer that is not managed by the university, update to the latest version as soon as possible. It is best to set Windows to update automatically.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact firstname.lastname@example.org.
- CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability (Microsoft, 10/13/20)
- US Cyber Command: Patch Windows 'Bad Neighbor' TCP/IP bug now (Bleeping Computer, 10//14/20)
- CVE-2020-16898 aka Bad Neighbor / Ping of Death Redux (AttackerKB, 10/14/20)
- Top reason to apply October, 2020’s Microsoft patches: Ping of Death Redux (Sophos News, 10/13/20)