14/07/2020

Active exploitation of Windows DNS Server – CVE-2020-1350

“Updated..

On July 14, 2020, Microsoft disclosed a critical remote code execution vulnerability (CVE-2020-1350) that affects Windows Server releases configured as Domain Name System (DNS) servers. The vulnerability is due to improper handling of requests by the Windows DNS server: it is not a protocol flaw. Exploitation could allow unauthenticated remote attackers to execute arbitrary code in the security context of the Local System Account.

Threat actors have exploited similar network vulnerabilities over the past 12 months to widely deploy web shells and other malware. Microsoft indicated that this vulnerability is wormable. Internet-accessible Windows DNS servers are at the greatest risk. However, internal servers could be exploited by a threat actor who has access to the internal network.

Recommended actions – Our security Partner Secureworks(R) Counter Threat Unit(TM) (CTU) researchers recommend a review and apply updates as appropriate in their environments as soon as possible, they also note that Microsoft published a registry modification option for users that cannot apply the update in a timely manner.

Recommendation(s):
Microsoft Monthly Rollup

The following registry modification has been identified as a workaround for this vulnerability.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00
Note: A restart of the DNS Service is required to take effect.

If you have any questions or concerns about this advisory, please contact us – support@empsn.org.uk 

References:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1350

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

Our partners