Jump to content

Windows “Ping of Death” bug revealed – patch now!


Recommended Posts

I've always disabled IPv6 since it has yet to be widely adopted (nor does my ISP currently support it), so I suspect my devices are likely immune (I have it disabled both in my modem/router as well as my PC and always have since MS first started rolling it out in Windows 7).  My modem is configured to block IPv6, and it's disabled in my network adapters and all of the default/built-in IPv6/ICMPv6 rules in the Windows Firewall with Advanced Security are disabled and I also use a batch script to disable all IPv6 protocols along with disabling/uninstalling it from my network adapter's properties.

Link to post
Share on other sites

Basically. for those who do not apply Windows updates each month and put it off you need the workaround.

Quote

CVE-2020-16898 mitigation

Microsoft provides a workaround for all customers who can't immediately apply the security update that addresses this critical security bug.

Microsoft advises customers who can't install the update to disable the ICMPv6 Recursive DNS Server (RDNSS) option using the following PowerShell command on systems running Windows 1709 and above (no reboot is needed):


netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

To re-enable ICMPv6 RDNSS once you applied the security update you have to use this PowerShell command (no reboot needed):


netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=enable

However, it should be noted that this is only a short term fix that blocks known attack vectors, and that you can fully mitigate the vulnerability and protect vulnerable systems only by applying the security update.

 

Link to post
Share on other sites
7 minutes ago, exile360 said:

What exactly is *INTERFACENUMBER*, does anybody know?  I couldn't find anywhere that MS documented it.

It is "probably" a registry entry that does not exist yet that gets created when you run the command in powershell.

I personally wait with baited breath at noonish my time for every patch Tuesday update and install it right away. after creating a system image earlier in the day.

Link to post
Share on other sites

Yeah, I install the patches immediately as well (I check for updates, usually daily as I still have Windows Defender enabled, plus I like to check for/install any out-of-band updates/emergency patches that Microsoft might release).

How can I run the command in Powershell without knowing what the value should be?  It's supposed to be some number specific to the network adapter in use, I'm sure; I just don't know what number/value it's looking for, and I tried running the command and it threw a syntax error, so that *INTERFACENUMBER* syntax/entry must be a placeholder for a specific value to be entered by the user; I just don't know what it is or where to find it.

That said, IPv6 is completely borked/disabled on my system and on my router/modem, so there's no way for anyone to ping me/connect to me via IPv6 anyway.  I even have it blocked via Simple DNSCrypt.

I already installed the patch, however I'd prefer to do all I can to kill IPv6 until it has been secured (it still contains many vulnerabilities/lacks many security features built into IPv4) and is more widely adopted.

Link to post
Share on other sites

Thanks David :)

Yep, I know AdvancedSetup, I just disable all IPv6 on principle since it has several security issues currently compared to IPv4, and since my ISP doesn't support it, there's no point in keeping any of it active/enabled/installed at this point.

Edited by exile360
Link to post
Share on other sites
8 hours ago, exile360 said:

What exactly is *INTERFACENUMBER*, does anybody know?  I couldn't find anywhere that MS documented it.

Network cards aka Interface can have all sorts of names. Thus you need to make sure the name matches for any changes you try to make to it

Example showing names and yes, the information from David will provide that too

 

https://community.spiceworks.com/how_to/144540-show-and-configure-ipv4-on-the-windows-cmd-command-prompt-with-netsh-set-ip-address

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.