Vulnerability in Windows Domain Name System (DNS)

On July 14, 2020, Microsoft released a security update for the issue described in CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows servers that are configured to run the DNS Server role. We strongly recommend that server administrators apply the security update at their earliest convenience.

A registry-based workaround can be leveraged to help protect an affected Windows server, and it can be implemented without requiring an administrator to restart the server. Because of the volatility of this vulnerability, administrators may have to implement the workaround before applying the security update in order to enable them to update their systems by using a standard deployment cadence.

Affected Software / System

This advisory specifically applies to the following Windows server versions:

• Windows Server, version 2004 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1803 (Server Core Installation)
• Windows Server 2019 (Server Core installation)
• Windows Server 2019
• Windows Server 2016 (Server Core installation)
• Windows Server 2016
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 (Server Core installation)
• Windows Server 2012
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for 32-bit Systems Service Pack 2

CVE (if applicable)

CVE-2020-1350

Type

Remote Code Execution (RCE)

Exploit Status: Exploited but not Public

Unknown at this time.

Rating

CVSS Score of 10/10 (Severe)

Impact

An attacker who exploited the vulnerability could run arbitrary code in the context of the Local System Account. Due to the fact that the DNS service runs in elevated privileges, if it is compromised, an attacker is also granted successfully Domain Administrator rights, and in some circumstances, the vulnerability can be triggered remotely through browser sessions.

Mitigation

• Microsoft recommended workaround:
  • The following registry modification has been identified as a workaround for this vulnerability.

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
 DWORD = TcpReceivePacketSize
 Value = 0xFF00

• •  Note:A restart of the DNS Service is required to take effect.
  • To remove the workaround patch:
    • The admin can remove the value TcpReceivePacketSize and its corresponding data so that everything else under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters remains as before.
    • Additional workaround implementation details can be found here.

Ingalls recommends the following actions:

• Ingalls recommends that any organization with DNS services in Microsoft Windows environments to install the security update(s) as soon as possible. However, if you are unable to apply the patch right away, Ingalls recommends that you use the workaround as soon as possible to protect your environment in the time before you install the updates.