Microsoft Addresses Windows TCP/IP RCE/DoS Vulnerability – US Homeland security urge for public attention. (14th Oct 2020)

Preface: Before the release of IP version 6, we had a good impression of its features.

Technical background: The official technical article provides the definition of IPv6 RDNS option address length (Details refer to attached diagram – point 3).

Potential Impact: If an even length value is provided, the attacker intentionally causes the Windows TCP/IP stack to incorrectly increase the size of the network buffer by 8 bytes. Therefore it failing to account for the case where a non-RFC compliant length value is used ( because the stack internally counts in 16-byte increments). This mismatch results in the stack interpreting the last 8 bytes of the current option as the start of a second option, ultimately leading to a buffer overflow and potential RCE.

Remedy: The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets –

Comment: Vulnerability hit by Microsoft cause by IP V6 design feature. Perhaps, it is a fundamental design matter. Predict that may be other vendor will encountered same matter soon.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.