Today, during this December Patch Tuesday, Microsoft released a security update for Windows Server DNS among other security-related updates. While I’d normally only draw your attention to Active Directory security updates, I’ve chosen to blog on this update, because the vast majority of Active Directory Domain Controllers I come across function as DNS Servers serving Active Directory-integrated DNS zones,
This security update resolves a vulnerability in Microsoft Windows Server. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a Windows Server equipped with the DNS server role.
A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly parse requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
An attacker could create a specially crafted application to connect to a Windows DNS server and then issue malicious requests to the server. The update addresses the vulnerability by modifying how Windows Servers with the DNS Server role parse requests.
Since the vast majority of Active Directory Domain Controllers act as DNS Servers on the internal networks, this makes them vulnerable to attacks from these networks, so called ‘insider attacks’. While perimeter firewalls might inspect DNS requests to DNS Servers, you will not likely find these on internal networks in many organizations.
The security updates accompanying security bulleting MS15-122 resolve the above vulnerability in Microsoft Windows Server installations acting as DNS Servers.
Affected Operating Systems
All Windows and Windows Server Operating Systems currently in support by Microsoft are affected by the vulnerability. Therefore, Microsoft has released a security update to resolve the vulnerability for:
- Windows Server 2008 with Service Pack 2
- Windows Server 2008 x64 with Service Pack 2
- Windows Server 2008 for Itanium-based Systems with Service Pack 2
- Windows Server 2008 R2
- Windows Server 2008 R2 for Itanium-based Systems
- Windows Server 2012
- Windows Server 2012 R2
On all the above platforms, the vulnerability is rated Critical.
Using Windows Update, Windows Server Update Services, System Center Configuration Manager, Intune, or your 3rd party update solution, install the KB3100456.
On Windows Server 2012 R2 update KB2919355 April 2014 Cumulative update needs to be installed.
If you install a language pack after you install this update, you must reinstall this update.
A system restart is required after you apply this security update.
No workarounds have been identified for this vulnerability.
Call to action
Microsoft has not identified any mitigating factors , so I urge you to install KB3100456 on Windows Servers acting as DNS Servers in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to all Windows Server acting as DNS Servers in the production environment.