Windows DNS Server Remote Code Execution Vulnerability
Released: Jul 14, 2020
Last updated: Jul 28, 2020
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2020-1350
Executive Summary
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.
The update addresses the vulnerability by modifying how Windows DNS servers handle requests.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation More Likely
Workarounds
The following registry modification has been identified as a workaround for this vulnerability.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00
Note: A restart of the DNS Service is required to take effect.
Please see 4569509 for more information.
To remove the workaround:
After applying the patch, the admin can remove the value TcpReceivePacketSize and its corresponding data so that everything else under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters remains as before.
FAQ
This vulnerability has a CVSS Base score of 10. How bad is this?
We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.
Are any other non-Microsoft DNS server implementations impacted by this vulnerability?
The vulnerability stems from a flaw in Microsoft’s DNS server implementation and is not the result of a protocol level flaw, so it does not affect any other non-Microsoft DNS server implementations.
Under what circumstances would I consider using the registry key workaround?
Microsoft recommends everyone who runs DNS servers to install the security update as soon as possible. However, if you are unable to apply the patch right away, Microsoft recommends that you use the workaround as soon as possible to protect your environment in the time before you install the updates.
Is the Windows DNS client affected by this vulnerability?
No, the vulnerability only affects Microsoft's Windows DNS Server implementation, so the Windows DNS client is not affected.
Are internal, non-public facing DNS servers also vulnerable?
Yes, Internally facing DNS servers are also affected because the vulnerability occurs when a server processes a maliciously crafted response and this can be triggered by any client name request.
Are all Windows Servers affected by this vulnerability?
No. Only Windows servers that are configured as DNS servers are affected by this vulnerability.
Acknowledgements
- Sagi Tzadik and Eyal Itkin from Check Point Research
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
Disclaimer
Revisions
Added an FAQ. This is an information change only.
Added an FAQ. This is an information change only.
Information published.