Leave us a Message:

CVE-2020-16898 – Bad Neighbor – Monitoring By SIEM

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email

CVE-2020-16898 - Bad Neighbor

SIEM Content Packages

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

An attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer to exploit this vulnerability.

The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets. (Microsoft)

MITRE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16898

CVSS Score: 9.8

We strongly recommend disabling IPV6 on all end devices if the IPV6 protocol is not in use because it’s vulnerable to many attacks.

More information below:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ipv6 

Otherwise, we recommend patching your hosts and servers to this vulnerability.

Here’s the link for MSRC to download the relevant KB:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

 

A little bit about the process:

Because the process is performed on top of the TCP \ IPV6 protocol, it is highly advisable to implement it in real-time detection if possible using IDS \ IPS such as Suricata. 

McAfee team has built a rule that can be applied to Suricata – link below:

https://github.com/advanced-threat-research/CVE-2020-16898

 

Technical Details:

We have tested the vulnerability using this POC:

After running the attack, the target device got a bluescreen, and after the restart, the following event log was written:

External ID: 1001

Where the event data contains the values “BlueScreen” and “tcpip!Ipv6pHandleRouterAdvertisement”

We built content packages based on this data to identify this exploit.

Note that this event was created after the DoS using this exploit (1001 related to bluescreen). To detect the RCE, we recommend using the Suricata project we shared in this post – because analyzing the network traffic is needed in this case.

 
Affected Windows Versions:

Windows 10 Version 1709 for 32-bit Systems

Windows 10 Version 1709 for ARM64-based Systems

Windows 10 Version 1709 for x64-based Systems

Windows 10 Version 1803 for 32-bit Systems

Windows 10 Version 1803 for ARM64-based Systems

Windows 10 Version 1803 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

 

Before installing the packages:

Ensure collecting the event log 1001 from the network’s devices by using WEF.

Collecting the logs only from DC will not be enough.

Note that event 1001 is an Application event – most SIEM systems only collect the security events, so make sure to configure it as well.

 

Download:

Our packages are available in these links – and will be frequently updated

 
Github:

https://github.com/cybersiem/CyberSIEM-IR/tree/master/CVE-2020-16898_Bad_Neighbor

 
Or download directly from this site:

ArcSight:

CVE-2020-16898-BadNeighbor – ArcSight

QRadar:

CVE-2020-16898-BadNeighbor – QRadar

 

Installation

ArcSight Package

We added a mapping file for the relevant windows logs and changed the resources package to match.

The file is available for download from the same path as the .arb package – named winc.zip.

Unzip the file and locate the folder using this path:

\current\user\agent\fcp\

If the ‘winc’ directory already exists, add only the files that do not exist.

QRadar Package:

Rule – the role doesn’t create an offense. We recommend modifying it after it runs for a while, depending on your environment.

 


Important – These packages will work adequately in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.

You are welcome to contact us for any further details.


 

Kfir Ozeri – [email protected]

Maayan Shlomo – [email protected]

Michael Vashinsky – [email protected]

Share this post

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email
Kfir Ozeri

Kfir Ozeri

Leave a Reply

About Us

We increase the security of organizational information and anticipate threats before they cause damage, and improve the level of protection of organizational information, by providing end-to-end SIEM solution.

Recent Posts

Skip to content