Prevent 'Bad Neighbor' Vulnerability that Affects Windows 10 Systems Using Workspace ONE

In the October monthly security rollups, Microsoft fixed two significant issues in the IPv6 ICMP protocol affecting all versions of Windows. This is commonly referred to as Bad Neighbor vulnerability. The first issue can lead to remote code execution (CVE-2020-16898) and the second issue causes denial of service (CVE-2020-16899) in the form of BSoD.

You need to patch all the affected systems as soon as possible. Let’s explore using Workspace ONE UEM to maintain patching hygiene and compliance. Taking it a step further, we'll go through automating Windows patches by Common Vulnerability and Exposure (CVE). Finally, we'll take a look at a mitigation approach when patching is not immediately possible.

Maintain patching hygiene and compliance by using Workspace ONE UEM

You can use the Windows Updates policy to set update configurations such as the Windows Update servicing channel to which the device subscribes, the ability to defer or pause Feature and/or Quality updates, when to download/install updates, leverage delivery optimization, and much more.

For more details on enrolling devices, refer to Planning your Windows 10 Deployment: VMware Workspace ONE Operational Tutorial. For more information deploying a Windows Updates profiles, see Managing Updates for Windows 10: VMware Workspace ONE Operational Tutorial.

Figure 1: Workspace ONE UEM Device Updates View

Assuming that you have deployed your Windows Updates profile through Workspace ONE UEM, you can view all the discovered updates that are applicable to your managed Windows 10. You can view the updates in the Workspace ONE UEM admin console under Devices > Device Updates. You can quickly search for the KBs that you want to approve, or assign the KBs to a smart group, then wait for the devices to apply the patches based on their configured settings.

A vulnerability fix can be correlated to multiple KBs as the KBs can target numerous Windows OS versions. The CVE-2020-16898 and CVE-2020-16899 vulnerabilities correlate to at least 7 different KBs. When managing patches on Workspace ONE UEM, you can search for the individual KBs.

When you have configured auto-approval of updates as part of the Windows Updates Policy, you can utilize the Device Updates view to verify if the updates are assigned or approved.

Figure 2: List of KBs available on Workspace ONE UEM Console

For each of the listed KBs, you can obtain detailed KB information and the deployment status of those KBs across your environment.

Figure 3: Detailed KB information and deployment status on Workspace ONE UEM Console

Getting insights with Security Risk dashboard

Next, we will dive into using Workspace ONE Intelligence. As mentioned earlier, multiples KBs are correlated with the 'Bad Neighbor' vulnerability. In an environment with thousands of Windows devices, tracking all of these KBs without efficient tools might be challenging.

Workspace ONE Intelligence addresses this by correlating all the Microsoft KBs available in your environment with the CVEs that are registered at MITRE and scored by the U.S. National Vulnerability Database (NVD), providing granular patching insight across the environment through a powerful automation engine.

The Security Risk dashboard provides visibility to all vulnerabilities, correlating Microsoft KBs with CVE in a unified view to help you make decisions based on real-time information.

To view the Security Risk dashboard, in the Workspace ONE Intelligence console, navigate to the Security Risk menu, and select Vulnerabilities.

Figure 4: Security Risk dashboard in Workspace ONE Intelligence

In addition to the chart that presents the vulnerable devices by CVSS score, on the List of Known Vulnerabilities you can also search for a specific CVE identifier and obtain the following information:

• CVE Number
• CVSS Score
• CVE Published Date
• Devices Impacted

Figure 5: List of known vulnerabilities

Automate patches based on CVE

Let's now automate the patches by using the CVE Identifier. This will ensure the patches are automatically approved, without the need to do this manually. You can do this in the Workspace ONE Intelligent Console by simply creating an automation workflow based on Windows OS Updates.

Figure 6: Creating automation workflow based on Windows OS Updates

Name your automation, define the filtering criteria based on the CVEs, enrolled devices, and Windows Patches that were not installed yet.

The filter criteria in Workspace ONE Intelligence will look like the image below:

Figure 7: Automation filter conditions.

Next, define Approve patch as the action to be applied to the device.

Figure 8: Automation Actions for Workspace ONE UEM.

Ensure the Patch Revision ID matches the rule that you set. In this example, the revision ID is ${win_patch_revision_id} as we are looking at the correlated KBs.

Figure 9: Approve patch action parameters.

The Workspace ONE Intelligence Automation integrates with Workspace ONE UEM patch management process to enable end-to-end automation patch of the devices.

Figure 10: Next Generation Patch Management.

You can then monitor patch remediation either by leveraging Workspace ONE Intelligence dashboards and reports or by viewing the KB status in the Workspace ONE UEM console.

Figure 11: Custom dashboard to monitor CVE deployment.

How to mitigate when patching is not immediately possible

When patching is not immediately possible because of things like update schedules and the change control and approval process, the alternative is to deactivate the DNS Server option on IPv6 NICs for all systems running Windows 1709 and later.

In a manual scenario, you need to identify if the "RA Based DNS Config (RFC 6106)" is enabled for each NIC on each device, and deactivate the NICs as required, by using a sequence of PowerShell scripts.

1. Obtain the list of NICs and the respective identifier (Idx) by using the following PowerShell command:

Figure 12: Obtaining the list of NICs

2. Identify the status of the "RA Based DNS Config (RFC 6106)" for each NIC with the following command:

(netsh int ipv6 show int #) -match ‘(RFC 6106)’

Note: Replace # with the Ix of the respective NIC:

Figure 13: Identifying the status of the "RA Based DNS Config (RFC 6106)" 

3. Deactivate "RA Based DNS Config (RFC 6106)" by using the command:

 netsh int  ipv6 set int# rabaseddnsconfig=disable

Figure 14: Disabling "RA Based DNS Config (RFC 6106)"

The above steps need to be repeated for all NICs on the device.

Now, running a script multiple times on many machines at scale, isn't a great use of time, is it? Workspace ONE UEM provides capabilities that let you deliver PowerShell scripts to target devices leveraging Smart groups and monitoring from Workspace ONE UEM console.

You can write a script code and deploy it to managed devices by using the Sensors or Scripts capabilities of Workspace ONE UEM.

• Sensors  - allows you to automate data collection for desktop endpoints and make the data available in the Workspace ONE UEM console.
• Scripts - allows you to automate endpoint configurations on Windows 10 and macOS devices. Scripts is available on Workspace ONE UEM 2010 as Tech Preview.

When patching is not immediately possible, and you decide to use Scripts as a preventative measure, we would recommend using Workspace ONE Scripts as this is a one-time configuration push. You can use Workspace ONE Sensors to return any values to Workspace ONE.

The following script will identify all NICs for each Windows 10 device and deactivate the "RA Based DNS Config (RFC 6106)" as needed.

Figure 15: Identifying all NICs for Windows 10 devices and disabling "RA Based DNS Config (RFC 6106)"

The target devices for the script will be based on smart groups criteria, including when the script will be deployed on the device.

„

Figure 16: Selecting a deployment method

You can monitor the script execution across all devices and the respective status.

Figure 17: Monitoring script execution

Until patching can be completed, running this script is a way to keep the devices safe until the patch update gets applied. When going through this path, remember to re-enable this feature after patching, the same script can be used for that.

Summary

Workspace ONE patch Management can ensure that patches are applied to devices anywhere the users are located, without needing to be on a VPN or connect to internal resources such as WSUS.

Workspace ONE allows you to:

• Manually approve the Individual KB updates from the Device Updates Dashboard in Workspace ONE UEM.
• Set critical and security updates to auto-approved as part of the Windows Device Updates Policy.
• Leverage Workspace ONE Intelligence to automate approving the correlated KBs for each CVE.
• Mitigation approach when patching is not immediately possible utilizing scripts

For more information, see:

• Planning your Windows 10 Deployment: VMware Workspace ONE Operational Tutorial.
• Managing Updates for Windows 10: VMware Workspace ONE Operational Tutorial.
• Meeting Security SLAs Through Intelligent Patch Automation: VMware Workspace ONE Operational Tutorial
• Automating Patch Remediation with Workspace ONE Intelligence: VMware Workspace ONE Operational Tutorial

Authors

This blog was written by:

• Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.
• Darren Weatherly, End-User-Computing Senior Architect, Technical Marketing, VMware.
• Josue Negron, End-User-Computing Staff Architect, Technical Marketing, VMware.