[vc_row][vc_column][vc_column_text css=”.vc_custom_1594804007589{margin-bottom: 0px !important;}”]Priority: Critical
Executive Summary:
Microsoft’s Security Response Center (MSRC) announced on 14 July 2020, they have released an update to patch CVE-2020-1350, which is a critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that has a CVSS score of 10, the maximum severity.[1] [2][3]
The vulnerability exists in the way the DNS server handles specific requests and means that an unauthenticated attacker could remotely gain control of the local system account, fully compromising the host. The nature of this attack makes it wormable between affected DNS servers and, considering Windows DNS Server is a core networking component and is often found running on Domain Controllers, it is imperative that these systems are updated as soon as possible. While no exploit has yet been published, given the criticality and potential impact of this vulnerability, an exploit is likely to be developed very soon.
Microsoft have published workaround instructions, should patching not be an option, although there are minor side-effects to the required registry changes, so administrators are advised to proceed with due caution and implement changes on redundant or test systems first.
The July 2020 updates patch a total of 123 CVEs, including 17 critical vulnerabilities in addition to this one, marking the fifth consecutive month in which Microsoft have released updates patching more than 100 CVEs, and bringing the 2020 total so far up to 742. By comparison, 2019 saw a total of 851 CVEs patched by Microsoft for the entire year. [4]
Detect:
Window DNS Server is a core networking component and is almost certainly going to be present in an Active Directory Domain environment. Administrators should refer to the Affected Products section for respective Windows versions and KB articles that apply a fix.
The PowerShell command Get-HotFix will list the KBs installed on a Windows system.
Affected Products:[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”10577″ img_size=”full”][vc_single_image image=”10578″ img_size=”full”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text css=”.vc_custom_1594803750719{margin-bottom: 0px !important;}”]Prevent:
While Microsoft has not identified any mitigating factors for this vulnerability, they have provided the following registry changes as a workaround:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters DWORD = TcpReceivePacketSize Value = 0xFF00
This does not require a host reboot but will require a restart of the DNS Service to take effect.
This change reduces the maximum size of TCP packets accepted by the server from client requests to 255 bytes less than the default maximum. The side effect is that the DNS server will not resolve names for clients when the DNS response from upstream server(s) is larger than 65280 bytes.
After applying the appropriate patch, remove this workaround by deleting the TcpReceivePacketSize registry key and restart the DNS Service.
React:
Administrators should update affected systems as soon as possible or apply the recommended workaround until patching is possible.
Sources:
[1] https://msrc-blog.microsoft.com/2020/07/14/July-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1350
[3] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
[4] https://www.thezdi.com/blog/2020/7/14/the-july-2020-security-update-review[/vc_column_text][/vc_column][/vc_row]