Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
The Bad Neighbor vulnerability is well known, but vulnerable Windows devices might not be accessible from the internet or have IPv6 enabled. Because working remote code execution (RCE) exploit code is not publicly available, an attacker must write and test their own RCE exploit code. A successful exploit can give an attacker complete control of a device or cause a system error.
Kill Chain
Risk Score
94
The Neighbor Discovery Protocol (NDP) facilitates host-router discovery and DNS configuration for IPv6 addresses. NDP defines ICMPv6 message types, which helps to identify relationships between devices in an IPv6 network. One of these message types is a Router Advertisement (message type 134), which includes an Recursive DNS Server (RDNSS) option for including DNS server information. The Windows TCP/IP stack has a vulnerability in how it processes incoming ICMPv6 Router Advertisement packets. An attacker creates a malicious packet with an even value in the Length field of the RDNSS option and sends the packet to the vulnerable Windows device. The even Length value causes the Windows TCP/IP stack to incorrectly calculate the network buffer size for processing the packet data. The result is a buffer overflow that can lead to remote command execution (RCE) or a denial of service (DoS).
Install relevant patches for affected devices
If unable to patch, disable the ICMPv6 Recursive DNS Server (RDNSS) option on Windows 10 and Windows Server version 1709 and later
