FAQ
Why was the Exploitability Index rating for this vulnerability lowered from “1 - Exploitation More Likely” to “2 – Exploitation Less Likely”? The presence of exploit mitigations (specifically /GS (Buffer Security Check)) makes it extremely difficult to exploit this issue for code execution. Why is the CVSS score for this vulnerability being reduced from 9.8 to 8.8? The CVSS score was lowered because the vulnerability is not routable over the internet, so we changed the AV score to Adjacent.
Mitigation
This vulnerability is not routable over the internet, but only over a local subnet.
Workaround
The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place: Disable ICMPv6 RDNSS. You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the following PowerShell command. This workaround is only available for Windows 1709 and above. See What's new in Windows Server 1709 for more information. netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable Note: No reboot is needed after making the change. Impact of Workaround The workaround disables RA-based DNS configuration. It is an alternative in networks where an IPv6 host's address is auto-configured through IPv6 stateless address auto-configuration where there is either no DHCPv6 infrastructure at all or some hosts do not have a DHCPv6 client. Windows still supports DHCPv6 and it takes precedence over 6106-based configuration. Before applying the workaround, customers need to consult with their IT admin to confirm that their network infrastructure doesn't rely on RA-based DNS configuration. Refer to RFC 8106 fo...