Ben Reardon, safety investigator at Corelight.
This month, Microsoft Patch Tuesday, introduced a serious vulnerability in the implementation of remote code, namely that Windows TCP/IP ICMP processes IPv6 router ads. Because of the seriousness and extent of this situation, we at Corelight Labs immediately started preparing a Zeek package with the intention of making it available to the Zeek community before the inevitable DOS/RCE PoC occurred. You can view this package here: https://github.com/corelight/CVE-2020-16898.
This blog is a short history of some of the interesting things that came to my mind in less than 24 hours, that I needed to implement this package, from development to testing network traffic in the real world to publication.
This blog is not intended to describe the vulnerability itself in detail. This material, quoted in a Microsoft article, paints an excellent high-level picture:
Uses the developer race of
It is clear that any vulnerability, be it RCE or DOS (in this case both), that is in the TCP/IP stack itself, is the bad news that the vulnerability exists on many machines and is deeply embedded. Another aspect that seemed interesting was the fact that it refers to IPv6 ICMP messages. With this in mind, we knew this bug would be attractive to developers, so we thought it was likely that the DOS PoC would be released soon, probably followed by RCE exploitation. Time was running out, so me and my teammate Yacin Nadji from Corelight Labs on the east coast of the United States followed the sun to Australia to get him out quickly.
If you had no reason to delve into the IPv6 ICMP router ads before (or if you remember RFC 4443 and 8106), you may be forgiven for being more than a little impressed by the amount of data/structures contained in these messages. It was really new to me, and I have to admit that at first I doubted whether we could deliver the discovery file quickly, because I thought it was complicated.
Thank you, past Zeek developers!
Immediately after my initial concern, I asked Zeek for help, and discovered that the icmp_router_advertisement event parses all the data from these packages and makes them available in the land script, a commonly used term to indicate that the data can easily be referenced to Zeek scripts. I was grateful to the developer who made this analyser. They probably never thought it would be used this way one day in the future and that it would work perfectly with IPv6. This is actually an excellent and simple example that shows the value of Zeek. This made it very easy to create a discovery scenario: In fact, it probably only lasted an hour or less. It was much easier than I had imagined, because the four elements described in this very useful Mcafee blog were already available, just waiting for someone to use them! Detection was then easy to check how each data element can be correctly referenced and then combine the four indicators to see if they are conditional and report when they are all visible together.
Development of rapid detection systems
Making discoveries before a validated PoC is available may be a problem because you may not have packages to retest if your work correctly identifies real positives. Fortunately, just before release, we came across a package that contained all the elements and as expected, our package increased the detection rate, which was encouraging. Although there was no PoC control tool, the decision to release our ASAP package was clear:
- We have been able to perform important tests on real network traffic to make sure there are no false positives;
- We successfully tested the logic from start to finish on a synthetic bag;
- The detection logic was very simple, the risk was low;
- The detection logic was also developed independently from other safety investigators, which was a good test (see next section);
- The publication of the scenario has more advantages because organizations can now protect themselves before the PoC is available and there is no need to wait for an incident and a contraction on a Friday night.
The Zeek Open Source community makespossible.
Everyone who has ever been a part of the Zeek community knows that it is a lively and active community. In fact, at the same time that we were developing our case, at least two other researchers from the community were also developing the scenarios themselves. These packages were released around the same time, and I will refer to them below. Given the time zones and tight deadlines, it was great to do such a cross-check.
Note that all these packages were released on the second day of the Sea Week 2020 virtual week, so the community element is even stronger now. Look at General Zeke sitting here if you’re interested.
With all the responsive software packages developed by Corelight, we understand that the dangerous environment is very volatile in these early days. New information becomes publicly available as exploit developers strive to create exploits that ultimately work. At the same time, we respond to these changes by adapting our packages to the new information available. Above all, we believe that your opinion about the use of these packages is very valuable. Do not hesitate to contact us if you have any comments or suggestions.
Latest articles by the author
*** This is an syndicated blog by Bright Ideas Blog’s Security Bloggers Network, written by Ben Reardon. The original message can be found at https://corelight.blog/2020/10/15/zeek-community-activates-to-detect-bad-neighbor-cve-2020-16898/.qualys,cve-2020-1350,cve-2020-1472,checkpoint ips signatures list,checkpoint r77.30 vulnerabilities,cve-2019-8462,checkpoint smartdefense logs,fortinet cve-2020-1472,f5 security advisories,cve-2020-0796 poc github,cve-2020-1020 exploit,cve-2020-1967 poc,cve-2019-0841 github,cve-2020-3153 poc,cve-2020-1472 proof of concept,extrahop vpn monitoring,extrahop webinar,extrahop key features,extrahop 360,extrahop use cases,extrahop news,security blog,security news,cyber security website,windows security news,cyber security news sites,malware blogs