Every time critical patches are released for an operating system, device, or app that we think you are using, you can predict in advance what we will say.
Patch early, patch often.
Why would you risk letting the crooks sneak in front of you when you could take a decisive step in front of them?
Well, this month the SophosLabs Offensive Security team (that’s offensive as on the opposite of defensiveIncidentally, not like the opposite of polite;; and it’s the security that’s offensive anyway, not the team) made it up even more convincing Advice “patch now”.
It’s a short video that shows an unpatched Windows 1
If the person running the script can direct a specially crafted IPv6 network packet at your computer – specifically an ICMP packet with booby traps – they can crash you without warning.
You’ll see a Blue Screen of Death (BSoD), and any work you didn’t save will be lost, probably forever.
ICMP is short for Internet Control Message Protocoland it’s a low-level network packet that is much easier than setting up a regular TCP connection and even easier than UDP. The most popular type of ICMP message is probably a Ring Package generated by the
ping Utility that is present on almost every operating system. You Ring a computer based on its IP address and when it receives the packet it sends a response – a Pong Package if you want. Pinging tests whether you can even communicate with another device as a basic but useful starting point for network diagnostics. If someone can ping your unpatched Windows 10 or Windows Server 2019 computer from theirs, they can likely crash you with this error.
We won’t go into the details here – and even in the SophosLabs report, our experts avoided disclosing enough to allow you to exploit this vulnerability at your own discretion – but you need to understand that this bug is known as CVE-2020. 16898.
The bug was discovered in a Windows component called
TCPIP.SYSand as the filename suggests, this is not just any old program.
TCPIP.SYS is a kernel driver. If you trigger this error, you are exploiting a vulnerability in the kernel itself that is at the core of any running Windows system.
Because of this, the system crashes with a BSoD instead of just shutting down an application with an error and leaving everything else running.
After all, shutting down the kernel means that nothing else needs to be done, as the kernel controls everything else.
So, a kernel crash, also known as a panic In Unix lingo, forces a full shutdown followed by an automatic restart.
Interestingly, the error you trigger in the video above that provokes the BSoD is caused by a buffer overflow.
TCPIP.SYS Incorrectly checks the size of one of the data fields that can optionally be displayed in IPv6 ICMP packets, allowing you to move too much data onto it and damage the system stack.
Bang! It goes down.
Two decades ago, almost every stack-based buffer overflow under Windows could not only be used to crash a system, but with a little care and planning could also take over the execution flow of the processor and redirect it into a program fragment. known as Shellcode – of your own choice.
In other words, Windows stack overflows in neworking software almost always lead to so-called Remote code execution Exploits where attackers can remotely trigger the bug using specially designed network traffic, execute code of their choice, and thereby inject malware without you even realizing it.
However, numerous security enhancements in Windows starting with Windows XP SP3 have made it more difficult to exploit stack overflows, and today they can often only be used to force crashes, not completely overflows.
Even so, having dissatisfied content on your network that can crash computers at will, servers and laptops alike, can do a lot of damage just by what is referred to as a Denial of Service Attack, especially because recovery requires a full reboot after each crash.
In theory, of course, a determined crook could figure out how to use CVE-2020-16898 to take over a remote computer, and not just to crash it, so Microsoft classified this bug as criticalgave it a severity rating of 9.8 (out of 10) and marked it with an exploitability rating of 1, short for “more likely to be exploited”.
What is somewhat annoying is that the severity levels worsen on a scale of 0 up to 10, while the exploitation rating gets worse on a scale of 3 up to Zero. 0 means “already being exploited, so you are already in direct danger” and 3 means “this bug is unlikely to make a difference”. A value of 1 means that even if the bug turns out to be very difficult to exploit, you can expect an attacker to really try, since previous bugs of this type have been successfully exploited.
In other words, while CVE-2020-16898 has not yet been turned into a working attack, patch now as you can bet that cybercrimnials are working on it.
In the vaguely militaristic jargon of cybersecurity research, it means someone somewhere is trying to do it weapon this bug now.
An explanation why modern Windows versions with this bug are not easy to exploit, and a reason why our own Offensive Security Team considers this unlikely – but not impossible! – To help anyone succeed, please read the SophosLabs report.
What should I do?
Like we said You need to patch.
While an exploit may never be found, it’s a fair bet that every working exploit that comes along will be named that way wormableThis means that not only can it be used to break into someone else’s computer, but also to break into someone else’s computer from your computer automatically.
In this way, the bug could be used to create a self-contained, self-replicating computer virus or worm that could spread widely and quickly, without any human intervention.
If you really don’t know how to patch, There are two workarounds::
- Disable IPv6 in Windows. This is only an option if you have a pure IPv4 network.
- Disable the faulty ICMP function in Windows. known as IPv6 IMCP RDNSS (short for Recursive DNS server).
For instructions on how to disable (and then turn ICMP RDNSS back on after patching), see the Microsoft advisory page CVE-2020-16898.