While true that it is extremely difficult to exploit (especially given the uptake of IPv6) there are some POC samples out there but I disagree with the severity rating awarded.
The 'juicy details' are as follows -
The validity of DNS options is checked with the Length field; that is, the value of the Length field in the RDNSS option is greater than or equal to the minimum value (3) and satisfies the requirement that (Length - 1) % 2 == 0. When an even length value is provided, the Windows TCP/IP stack incorrectly advances the network buffer by an amount that is 8 bytes too few.
(Note: Only relates to IPv6 Router Advertisement packets that use Option Type 25 (Recursive DNS Server Option) and a length field value that is even).
I’ve not looked in detail, but I’d be surprised if it was as I don’t think Router Announcements propagate beyond the local network...so you could get all machines on a network segment but it wouldn’t spread across a whole company.
The Suricata signature for this vulnerability is located in cve-2020-16898.rules and contains the following logic:
alert icmp any any -> any any (msg:"Potential CVE-2020-16898 Exploit"; lua:cve-2020-16898.lua; sid:202016898; rev:1;)
The corresponding Lua script may be found in cve-2020-16898.lua. It contains the logic necessary to properly parse the ICMPv6 layer and identify potential exploitation of Bad Neighbor, as follows:
Once we've located the start of the ICMPv6 layer, we test the first byte of the layer to ensure that it's a Router Advertisement ICMPv6 packet (Type = 134) - if it isn't, we exit.
Since Suricata primitives have not been updated to parse the ICMPv6 options, we simply jump to the 17th byte of the ICMPv6 layer, since that's where the Options should start, if present (the first 16 bytes are static-length fields, per RFC 4443). From there, we loop over every Option until we run out of bytes in the packet. For each Option, we're only interested in the first two bytes: the Option Type and Length fields, respectively. While we ignore all Options that aren't RDNSS, for Option Type = 25 (RDNSS), we check to see if the Length (second byte in the Option) is an even number. If it is, we flag it. If not, we continue. Since the Length is counted in increments of 8 bytes, we multiply the Length by 8 and jump ahead that many bytes to get to the start of the next Option (subtracting 1 to account for the length byte we've already consumed).
With this rule, we also check to make sure that the Length is at least 3, since RFC 8106 requires it, but ultimately this check may be superfluous, since we're only concerned with whether the Length is even or not.
Most gear should have a feature called RA Guard which will block this put of the box and you should run it regardless of this vuln because your clients shouldn't be advertising as routers on your network.
I can't speak for every implementation in the world but at least most block both as it actually takes more work to create a filter that only blocks multicast RAs. The filter to block all is an automatic ACL saying "ICMP Type 136, direction ingress, action drop" and a multicast only version would take additional checks to do less.
"While Shodan.io shouldn’t be counted on as a definitive source, our best queries put the number of Windows Server 2019 machines with IPv6 addresses is in the hundreds, not exceeding approximately 1000. This is likely because most servers are behind firewalls or hosted by Cloud Service Providers (CSPs) and not reachable directly via Shodan scans."
High priority issue, but I dont think we will see some massive wave of outages.
Shodan (or anyone else) can't really get an authoritative count of live IPv6 devices of any kind, because the address space is too big to scan using brute force.
They had (have?) a clever semi-workaround for this, by getting themselves into one or more of the public NTP pools, and then port-scanning any IPv6 address that queried their NTP service, but I wouldn't consider that count anything like definitive.
Regardless, it's still a huge problem for internal networks.
I read they got kicked off the NTP pool, but it's not the only way to enumerate IPv6 sources. There are many different ways to significantly reduce the search space including looking only at announced prefixes, searching common IPv6 addresses (i.e. the first few, last few, plus common mac address ranges for EUI-64) etc.
I also assume that routers won't pass ICMPv6 RAs, so limited to a single network segment. And, only affects Windows 10.