Worklet: workaround for CVE-2020-16898

4 years ago
October 16, 2020
0 replies
35 views

Melvin_Luijten

In this worklet we check if a host is possibly vulnerable for CVE-2020-16898 based on the OS version and the installation status of the patch. If the patch is not installed the workaround is implemented.

For more info check: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16898#ID0EUGAC

The only manual task is to later revert this change when the patch is applied.

Evaluation code:

#define osversion number
$osversion = (get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId

#define KB Number and check for presence

$1709 = 'KB4580328'
$1803 = 'KB4580330'
$1809 = 'KB4577668'
$1903 = 'KB4577671'
$2004 = 'KB4579311'

#Check applicable OS version and installation of patch

if ($osversion -eq '1709'){ 
	$patched1 = Get-Hotfix -Id $1709 -ErrorAction SilentlyContinue
}
elseif ($osversion -eq '1803'){ 
	$patched2 = Get-Hotfix -Id $1803 -ErrorAction SilentlyContinue
}
elseif ($osversion -eq '1809'){ 
	$patched3 = Get-Hotfix -Id $1809 -ErrorAction SilentlyContinue
}
elseif ($osversion -eq '1903'){ 
	$patched4 = Get-Hotfix -Id $1903 -ErrorAction SilentlyContinue
}
elseif ($osversion -eq '2004'){ 
	$patched5 = Get-Hotfix -Id $2004 -ErrorAction SilentlyContinue
}

#if KB is not installed continue to check if workaround is applied
if ($? -eq "True")
{Write-Output "patch installed"
exit 0}
else {
Write-Output "patch not installed"
}

#define interface numbers
$INTERFACENUMBER=(Get-NetIPInterface -AddressFamily IPv6).ifIndex

#determine if workaround has already been applied if already applied exit 0
Foreach ($interface in $INTERFACENUMBER)
{
$output = (netsh int ipv6 show int "$interface")[-3]
if ($output -eq 'RA Based DNS Config (RFC 6106)     : enabled'){
Write-Output "Workaround required"}
else {
exit 0 
}
}

Remediation code

$INTERFACENUMBER=(Get-NetIPInterface -AddressFamily IPv6).ifIndex
Foreach ($interface in $INTERFACENUMBER)
{
$output = netsh int ipv6 set int $interface rabaseddnsconfig=disable 
if ($output -eq 'Ok.'){Write-Output "Workaround aplied on ifindex $interface"
}
else {Write-Output "something went wrong" 
}
}

Be the first to reply!

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

Using tokens in "Set Score" business rules

CE+CS: Better Together

Prioritize feedback to drive strategic decisions

Join us in St. Louis for Advanced Admin Training Feb. 21 - 23!

Advanced Admin Hands-on Workshop in St. Louis

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings