Worklet: workaround for CVE-2020-16898

4 years ago
October 16, 2020
0 replies
35 views

Melvin_Luijten

In this worklet we check if a host is possibly vulnerable for CVE-2020-16898 based on the OS version and the installation status of the patch. If the patch is not installed the workaround is implemented.

For more info check: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16898#ID0EUGAC

The only manual task is to later revert this change when the patch is applied.

Evaluation code:

#define osversion number
$osversion = (get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId

#define KB Number and check for presence

$1709 = 'KB4580328'
$1803 = 'KB4580330'
$1809 = 'KB4577668'
$1903 = 'KB4577671'
$2004 = 'KB4579311'

#Check applicable OS version and installation of patch

if ($osversion -eq '1709'){ 
	$patched1 = Get-Hotfix -Id $1709 -ErrorAction SilentlyContinue
}
elseif ($osversion -eq '1803'){ 
	$patched2 = Get-Hotfix -Id $1803 -ErrorAction SilentlyContinue
}
elseif ($osversion -eq '1809'){ 
	$patched3 = Get-Hotfix -Id $1809 -ErrorAction SilentlyContinue
}
elseif ($osversion -eq '1903'){ 
	$patched4 = Get-Hotfix -Id $1903 -ErrorAction SilentlyContinue
}
elseif ($osversion -eq '2004'){ 
	$patched5 = Get-Hotfix -Id $2004 -ErrorAction SilentlyContinue
}

#if KB is not installed continue to check if workaround is applied
if ($? -eq "True")
{Write-Output "patch installed"
exit 0}
else {
Write-Output "patch not installed"
}

#define interface numbers
$INTERFACENUMBER=(Get-NetIPInterface -AddressFamily IPv6).ifIndex

#determine if workaround has already been applied if already applied exit 0
Foreach ($interface in $INTERFACENUMBER)
{
$output = (netsh int ipv6 show int "$interface")[-3]
if ($output -eq 'RA Based DNS Config (RFC 6106)     : enabled'){
Write-Output "Workaround required"}
else {
exit 0 
}
}

Remediation code

$INTERFACENUMBER=(Get-NetIPInterface -AddressFamily IPv6).ifIndex
Foreach ($interface in $INTERFACENUMBER)
{
$output = netsh int ipv6 set int $interface rabaseddnsconfig=disable 
if ($output -eq 'Ok.'){Write-Output "Workaround aplied on ifindex $interface"
}
else {Write-Output "something went wrong" 
}
}

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

Patch Now and Remediation for Microsoft CVE-2020-1350 DNS vulnerability

KB4577015 breaks parts of MMC

IE Zero Day Remediation for CVE-2020-0674

Worklet: Turn off SMBv3 compression to remediate CVE-2020-0796

Patch Tuesday Companion Content : Windows TCP/IP Vulnerability Worklets

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings