.jpg?width=1920&height=1080&fit=bounds)
Preface: Before the release of IP version 6, we had a good impression of its features.
Technical background: The official technical article provides the definition of IPv6 RDNS option address length (Details refer to attached diagram – point 3).
Potential Impact: If an even length value is provided, the attacker intentionally causes the Windows TCP/IP stack to incorrectly increase the size of the network buffer by 8 bytes. Therefore it failing to account for the case where a non-RFC compliant length value is used ( because the stack internally counts in 16-byte increments). This mismatch results in the stack interpreting the last 8 bytes of the current option as the start of a second option, ultimately leading to a buffer overflow and potential RCE.
Remedy: The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
Comment: Vulnerability hit by Microsoft cause by IP V6 design feature. Perhaps, it is a fundamental design matter. Predict that may be other vendor will encountered same matter soon.