Hello, welcome to the Wednesday, October 14th, 2020 edition of the Sansonet Stormeners Stormcast.

My name is Johannes Ulrich, and the day I'm recording from Jacksonville, Florida.

Today, of course, Microsoft's Patch Tuesday, and with that we got patches for 87 vulnerabilities, 12 of which are rated critical

and 6 have been previously disclosed, but according to Microsoft, none of these vulnerabilities

have been exploited so far. Now the one vulnerability that sticks out because of its high CWS score of 9.8 is a remote

code execution vulnerability in the Windows TCP IP stack that can be triggered by an ICMP

V6 router advertisement packet.

So IPV6 is of course one of my favorite topics.

Just finished teaching the IPV6 section of SEC 503

earlier today here in an online class.

Router advertisements are sent out by IPV6 routers

in regular instances or in response to a host

that just booted up and is looking for a router via a router solicitation.

Now there are a couple things that you usually find in these router advertisements.

You do find the hop limit that a router would like you to use to start

out with, the MTO of the network, and then you may find one or more prefixes that are used on

the network, and that can then be used by the host to come up with a routable IPV6 address.

The one feature that may actually matter here is that there is an option in IPV6

to advertise DNS servers via these router advertisements.

And one of the workarounds mentioned here is that you should disable the recursive DNS server feature in ICMPB6.

So that's basically a hint that this feature may be to blame for what's going wrong here.

It's a little bit newer feature and not really all that widely used necessarily,

...