Every time that critical patches come out for any operating system, device or app that we think you might be using, you can predict in advance what we’re going to say.
Patch early, patch often.
After all, why risk letting the crooks sneak in front of you when you could take a resolute stride ahead of them?
Well, this month, the Offensive Security team at SophosLabs (that’s offensive as in the opposite of defensive, by the way, not as in the opposite of polite; and it’s the security that’s offensive anyway, not the team) has come up with some even more compelling “patch now” advice.
It’s in the form of a short video, and it shows an unpatched Windows 10 computer being crashed at will across the network by a simple bug-tripping Python script:
If the person running the script can aim a specially crafted IPv6 network packet at your computer – specifically, a booby-trapped ICMP packet – then they can bring you down without warning.
You see a Blue Screen of Death (BSoD), and any work you hadn’t saved is lost, probably forever.
ICMP is short for Internet Control Message Protocol, and it’s a low-level type of network packet that’s much simpler than setting up a regular TCP connection, and even simpler than UDP. The best known sort of ICMP message is probably a ping packet, generated by the
ping utility that exists on almost every operating system. You ping a computer by its IP address and if it gets the packet, it sends a reply – a pong packet, if you like. Pinging checks whether you can communicate with another device at all, as a basic but useful starting point for network diagnostics. Loosely speaking, if someone can ping your unpatched Windows 10 or Windows Server 2019 computer from theirs, they can probably crash you with this bug.
We’re not going to go into any detail here – and even in the SophosLabs report our experts have avoided giving away enough for you start exploiting this vulnerability at will – but what you need to know is that this bug is denoted CVE-2020-16898.
The bug was discovered in a Windows component called
TCPIP.SYS, and as the filename suggests, this isn’t just any old program.
TCPIP.SYS is a kernel driver, meaning that if you trigger this bug, you are exploiting a vulnerability inside the kernel itself, which is the very core of any running Windows system.
That’s why the system crashes with a BSoD rather than just shutting down one application with an error while leaving everything else running.
After all, shutting down the kernel means that there is no “anything else” to keep running, given that it’s the kernel that controls everything else.
So, a kernel crash, also known as a panic in Unix jargon, forces a total shutdown, typically followed by an automatic reboot.
Interestingly, the bug you see triggering in the video above that provokes the BSoD is caused by a buffer overflow.
TCPIP.SYS doesn’t correctly check the size of one of the data fields that can optionally appear in IPv6 ICMP packets, so you can shove too much data at it and corrupt the system stack.
Bang! Down it goes.
Two decades ago, almost any stack-based buffer overflow on Windows could be used not only to crash a system, but also, with a bit of care and planning, to take over the processor’s flow of execution and divert it into a program fragment – known as shellcode – of your own choosing.
In other words, Windows stack overflows in networking software almost always used to lead to so-called remote code execution exploits, where attackers could trigger the bug from afar with specially crafted network traffic, run code of their own choosing, and thereby inject malware without you even being aware.
But numerous security improvements in Windows, from Windows XP SP3 onwards, have made stack overflows harder and harder to exploit, and these days they can often only be used to force crashes, not to take over completely.
Nevertheless, a malcontent on your network who could crash any computers at will, servers and laptops alike, could cause plenty of harm just through what’s known as a denial of service attack, especially because recovering from each crash requires a complete reboot.
In theory, of course, a determined crook might be able to figure out how to exploit CVE-2020-16898 to take over a remote computer, not merely to crash it, so that Microsoft has classified this bug as critical, given it a severity rating of 9.8 (out of 10), and flagged it with an exploitability assessment of 1, short for “exploitation more likely”.
Slightly annoyingly, severity ratings get worse on a scale of 0 up to 10, while exploitability assessments get worse on a scale of 3 down to zero. 0 means “is already being exploited, so you are already in direct danger” and 3 means “this bug will probably amount to very little”. A value of 1 means that even if the bug turns out to be very hard to exploit, you can expect attackers to try really hard at it, because previous bugs of this sort have been exploited successfully.
In other words, even though CVE-2020-16898 hasn’t been turned into a working attack yet, you should patch right now, because you can bet your boots that cybercriminals are working on it.
In the vaguely militaristic jargon of cybersecurity research, this means that someone, somewhere, is trying to weaponise this bug right now.
For an explanation of why modern versions of Windows aren’t easy to exploit using this flaw, and for a justification of why our own Offensive Security Team thinks it’s unlikely – but not impossible! – that anyone will succeeed, please read the SophosLabs report.
What to do?
As we’ve said, you need to patch.
Although an exploit may never be found, it’s a fair bet that any working exploit that does turn up will be what’s called wormable, meaning that it could be used not only to break into your computer from someone else’s, but then also to break in to a third person’s computer automatically from yours.
If you genuinely can’t patch yet, there are two workarounds:
- Turn off IPv6 in Windows. This is only an option if you have a pure IPv4 network.
- Turn off the buggy ICMP feature in Windows, known as IPv6 ICMP RDNSS (short for Recursive DNS Server).
Instructions for turning ICMP RDNSS off (and back on after you have patched) can be found on Microsoft’s CVE-2020-16898 advisory page.