CVE-2020-16898-Bad-Neighbor


Simple policy to detect CVE-2020-16898: Bad Neighbor

Following functionality are provided by the script

:: 1) Script checks on heuristic described here: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/

Installation

zeek-pkg install zeek/initconf/CVE-2020-16898-Bad-Neighbor or @load CVE-2020-16898-Bad-Neighbor/scripts

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple:

As per :
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/

(i) looking for packets with an ICMPv6 Type field of 134 indicating Router Advertisements
(ii) an ICMPv6 Option field of 25 indicating Recursive DNS Server (RDNSS).
(iii) If this RDNSS option also has a length field value that is even, the heuristic would drop or flag the associated packet, as it is likely part of a Bad Neighbor exploit attempt.

Example notice: ICMP::BadNeighbor

Example Summary Notice:

Package Version :