Recent CVEs disclosures of Windows 10’s IPv6 vulnerabilities show how diligent patching and AI-based network monitoring are becoming de riguer cyber-diligence.
On October 13, Microsoft unveiled some Windows 10 vulnerabilities including a remote DoS (CVE-2020-16899) and a remote code execution flaw (CVE-2020-16898) dubbed ‘Bad Neighbor’.
Both of these vulnerabilities are in the code that processes ICMPv6 Router Advertisement messages, a fundamental part of IPv6. This vulnerability would allow a hacker to exploit a remote code execution (RCE) vulnerability to run malware or launch a denial of service (DoS) attack. Because this vulnerability attacks the IP stack in the kernel, other security solutions (like EDR, SIEM or IDPS) are unlikely to detect these particular exploits. EDR solutions will only see the attack once the payload is executed and logs in a SIEM are unlikely to detect this vulnerability because messages (ICMP) are rarely logged.
The vulnerability has been a widespread latent problem, as evidenced by the fact that through 2020, 80% of all personal computers will have migrated to Windows 10, according to Gartner.
Given the fact that Windows 10 device patching is markedly quick, experts do not expect to see a NotPetya-scale impact from this bug. But, Jeff Costlow, Chief Information Security Officer, ExtraHop, “organizations must immediately patch their systems to avoid impact. Users essentially cannot disable the IPv6 functionality, but can mitigate it with work-arounds if applying the patch is difficult.”
Mitigating the bad neighbor
Any organization using Windows 10 is vulnerable and should deploy the patch immediately to avoid compromise of their Windows 10 systems.
Added Costlow: “To ensure that our customers remain safe before they have time to deploy the patch, we have created and deployed detections for this vulnerability for all customers.”
Regardless, organizations should as a rule ensure timely patching vulnerability patching, and have in place solutions that monitor network data with AI and machine learning to catch threats and suspicious activity quickly. This will buy defenders precious time to investigate and respond to threats quickly.