image Blue Screen of Death from Wikipedia

Many IT administrators, DevOps, TechOps and SecOps in the UK woke up this morning, to a particularly nasty looking Patch Tuesday. Top of the chat is CVE-2020–16898 which has been dubbed Bad Neighbour by McAfee and Ping of Death by Sophos.

Reality Check

It’s worth realising that this particular CVE has no known exploits, however best case scenario a threat actor could craft a ICMPv6 packet to exploit the RDNSS component of the IPv6 stack built in tcp.sys; the net result a threat actor could cause a Blue Screen of Death (BSOD). There is a worst case scenario of course in that a threat actor could craft a packet that didn’t cause a BSOD, but did allow the actor to execute code against the target system, known as Remote Code Execution (RCE). In reality the worst case scenario is unlikely to happen anytime soon, or even ever as it requires a failure of many lines of defence.

Mitigating the Threat

The best course of action at this stage is to install the update on affected Windows 10 and Windows Server 2019, the full list is available from Microsoft and the updates are now available on Windows Update. This is no less important because there is a also a vulnerability in Microsoft Outlook which may result in Remote Code Execution.

As a quick reference here are the Affected Versions of Windows and the Hotfix that patches the vulnerability:

Windows Version and Release Id HotFix
Windows 10 1709 KB4580328
Windows 10 1803 KB4580330
Windows 10 1809/Windows Server 2019 KB4577668
Windows 10/Server 1903 KB4577671
Windows 10/Server 1909 KB4577671
Windows 10/Server 2004 KB4579311

If you’re not sure what Release ID is, you can get it using the following PowerShell command:

(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId

If you want to know if the Hotfix is applied to your machine you can run the following PowerShell command:

Get-HotFix KB4579311

This will either return an error message (in red) or will tell you specifically who and when it was installed:

Source        Description      HotFixID      InstalledBy          InstalledOn
------        -----------      --------      -----------          -----------
MY-LAPTOP     Security Update  KB4579311     AzureAD\RichardSl... 2020-10-14 00:00:00

Managing the Threat

If for some reason you are unable to mitigate the threat by applying Windows Updates, for example if you are running a mission critical system preventing machine restarts, then there are still mitigation options open to you.

Disable RDNSS

The component that is vulnerable is part of the IPv6 stack is called RDNSS, or Recursive DNS Service, this can trivially be disabled in Windows 10 or Windows Server without requiring a restart. First find out which interfaces you need to configure with the netsh:

netsh int ipv6 show int

This will give you a list of interfaces, and their index in the idx column:

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  3          35        1500  connected     WiFi
  1          75  4294967295  connected     Loopback Pseudo-Interface 1
 14          25        1500  disconnected  Local Area Connection* 1
 11          65        1500  disconnected  Bluetooth Network Connection
 19          25        1500  disconnected  Local Area Connection* 2
 47          15        1500  connected     vEthernet (Default Switch)
  8          25        1500  connected     Npcap Loopback Adapter

Then for each externally facing interface run the following command, using your idx from the previous command in place of the 3 in my command below:

netsh int ipv6 set int 3 rabaseddnsconfig=disable

The change can be reversed with the following command:

netsh int ipv6 set int 3 rabaseddnsconfig=enable

Disable IPv6

Disabling IPv6 might be throwing the baby out with the bathwater, I would discourage anyone from doing this, although who knows there might be use cases where it makes more sense:

Disabling IPv6 on Network Adapter Windows 10

Block Bad Actors

In the [McAfee Security blog post] ( they kindly included a set of Suricata rules to block the bad actors from sending malicious packets:




As with any incident, don’t panic, stop the bleeding and then repair the damage. There will likely be lots of questions in IT teams today about this vulnerability, as it stands however there are no known exploits, proactive maintenance today will go a long way to protecting your organisation from attacks.