Security Advisory: Microsoft Windows DNS Server Remote Code Execution Vulnerability

Summary


On July 14th, 2020 Microsoft publicly disclosed the existence of a critical severity vulnerability in all
recent versions of the Microsoft Windows Server operating system. The vulnerability, CVE-2020-
1350, has a CVSS of 10.0 (the most severe) and affects Windows based DNS servers. The
vulnerability, if exploited, could allow unauthenticated attackers to execute arbitrary code with the
privileges of the local “system” account, which has full access to Windows based systems. Due to
the critical nature of the vulnerability and the fact that Active Directory Domain Controllers often
function as Window based DNS servers, it is possible for attackers to execute arbitrary code as a
privileged user on domain controllers, thus potentially granting themselves access to a “Domain
Administrator” account.


This extremely severe and somewhat simple to exploit vulnerability is considered “wormable” and
Microsoft is aware of limited targeted attacks that leverage this vulnerability to compromise Active
Directory environments. The vulnerability can be exploited by any user who has local network
access to Windows based DNS servers. Additionally, Checkpoint, the firm that discovered the
vulnerability, has confirmed that the vulnerability could also be exploited by forcing an end user’s
Internet Explorer or Microsoft Edge browser to make a malicious DNS query to a local Windows
based DNS server. As of the date of this advisory, it is not currently possible to force Chrome or
Firefox browsers to make these malicious DNS queries.


The Cyber Fusion Center strongly recommends all organizations apply Microsoft supplied patches
to any Windows Servers that may be running DNS immediately. Organizations should also consider
that their Active Directory domain controllers may be acting as DNS servers. Organizations that are
unable to apply these patches immediately should follow the temporary workaround guidance
provided in this advisory.


Affected software


The following Microsoft Windows Server versions are impacted if are assigned the DNS server role:

  • Windows Server 2008 All versions (32 bits, 64 bits, IA64)
  • Windows Server 2012 All versions
  • Windows Server 2016 All versions
  • Windows Server 2019 All versions
  • Windows Server version 1903 (Server Core Installation)
  • Windows Server version 1909 (Server Core Installation)
  • Windows Server version 2004 (Server Core Installation)

Impact

Successful exploitation of these vulnerabilities can provide attackers local system account
privileges on impacted Windows systems. Such access enables attackers take complete control of
impacted systems. Additionally, as Active Directory Domain Controllers often function as a Window
based DNS servers, it is possible for attackers to execute arbitrary code as a privileged user on
domain controllers, thus granting themselves access to a “Domain Administrator” account.


Mitigations and Workarounds


The Cyber Fusion Center strongly recommends all organizations apply Microsoft supplied patches
to any Windows Servers that may be running DNS immediately. Organizations should apply patch
KB4565529 (Security update only) or patch KB4565536 (Monthly rollup bundle).


For systems that cannot be patched immediately, a temporary workaround it to make the
following Windows registry changes which reduces the maximum size of DNS request packets.

  • Open registry by launching regedit.exe
  • Browse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
  • Edit or create the key “TcpReceivePacketSize” (DWORD) with following value: 0xFF00
  • Restart the DNS service to apply the change: net stop dns && net start dns


Important Note: 
Limiting DNS packet size may cause some DNS queries to fail.


Once the Microsoft supplied security patches are applied on affected systems, organizations can
safely remove the temporary workaround described above by deleting the “TcpReceivePacketSize”
registry key and its data.


For details on potential impacts of these workarounds, or details on how to rollback these
changes, please review
Microsoft’s security advisory.


CFC Support & Detection


The Cyber Fusion Center’s vulnerability scanning service has been updated in order to detect this
vulnerability. If any vulnerable windows systems are detected, the Cyber Fusion Center will create
a critical severity security incident. If organizations that subscribe to the CFC’s vulnerability
scanning service would like scans to be performed immediately or on a different schedule, please
open a case in the CFC Portal to do so.


The Cyber Fusion Center is also working with our vendor partners to build detection capabilities for
attempted exploitation attempts against this vulnerability.

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-codeexecution-vulnerability
https://www.tenable.com/blog/cve-2020-1350-wormable-remote-code-executionvulnerability-in-windows-dns-server-sigred
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploitinga-17-year-old-bug-in-windows-dns-servers/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s