Bad Neighbor vuln discovered living in ICMPv6

We have a light report for you this week, but with some big news:

• Bad Neighbor vulnerability
• Trickbot Takedown

CVE-2020-16898 aka Bad Neighbor

Microsoft announced a critical vulnerability in the Windows IPv6 stack, which allows an attacker to send maliciously crafted packets to execute arbitrary code. The proof-of-concept shared with MAPP (Microsoft Active Protection Program) members is rumored to be simple and reliable.

The vulnerability has been nicknamed “Bad Neighbor” because it’s located within an ICMPv6 Neighbor Discovery.

What is it?

The Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets that use Option Type 25 (Recursive DNS Server Option) and a length field value that is even.

When an even length value is provided, the Windows TCP/IP stack incorrectly advances the network buffer by an amount that is 8 bytes too few. This leads to a buffer overflow and potential remote code execution (RCE).
The good news is that patches are available. If you can’t patch, you need to disable IPv6 either on the hosts or at the network level. ICMPv6 Router Advertisements can be blocked or dropped at the network perimeter.

To detect exploit attempts against this, we developed a Suricata signature:

alert ipv6 any any -> any any (msg:"[Perch Security] Possible CVE-2020-16898 ICMPv6 \"Bad Neighbor\" Even Length Check"; ip_proto:58; itype:134; icode:0; content:"|19|"; offset:12; depth:1; byte_test:1,=,0x00,0,relative,bitmask 0x01; tag:session,1,packets; sid:901000; rev:1;)

MS Trickbot Takedown

Ahead of the 2020 US Presidential Election, Microsoft acted against the Trickbot botnet, disrupting one of the world’s most persistent malware operations.

Trickbot first appeared in 2016 as a banking trojan, the evolution of Dyre, designed to steal banking credentials. Over the years, Trickbot’s operators built a massive botnet, and the malware evolved into a modular malware and provided as-a-service.

The Trickbot infrastructure was rented to cybercriminals who used the botnet for initial access for human-operated campaigns, including attacks that steal credentials, exfiltrate data, and deploy additional payloads, most notably Ryuk ransomware, in target networks.

Trickbot is typically delivered via email campaigns with Excel or Word documents with malicious macros.

Microsoft worked with telecommunications providers around the world to disrupt key Trickbot infrastructure.

Microsoft claims, “As a result, operators will no longer be able to use this infrastructure to distribute the Trickbot malware or activate deployed payloads like ransomware.”

So that means Trickbot is over, right? Wrong. Researchers were quick to point out that MS only interrupted Trickbot’s US operations. It’s likely that they will reconnect with infected machines and redirect them to overseas infrastructure.

This whole disruption campaign did have some impact on Trickbot, but not to the scale that Microsoft’s press indicates. This “protecting elections” narrative from Microsoft fits in nicely with their other election security initiatives.

Now get out there and vote.

• Paul

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Ransomware dominates 2020