Security Thoughts: Security Update for DNS Server to Address Remote Code Execution (MS15-127, KB3100465, CVE-2015-6125, Critical)

Today, during this December Patch Tuesday, Microsoft released a security update for Windows Server DNS among other security-related updates. While I’d normally only draw your attention to Active Directory security updates, I’ve chosen to blog on this update, because the vast majority of Active Directory Domain Controllers I come across function as DNS Servers serving Active Directory-integrated DNS zones,

 

The situation

This security update resolves a vulnerability in Microsoft Windows Server. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a Windows Server equipped with the DNS server role.

A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly parse requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

An attacker could create a specially crafted application to connect to a Windows DNS server and then issue malicious requests to the server. The update addresses the vulnerability by modifying how Windows Servers with the DNS Server role parse requests.

Since the vast majority of Active Directory Domain Controllers act as DNS Servers on the internal networks, this makes them vulnerable to attacks from these networks, so called ‘insider attacks’.  While perimeter firewalls might inspect DNS requests to DNS Servers, you will not likely find these on internal networks in many organizations.

 

About MS15-127

The security updates accompanying security bulleting MS15-122 resolve the above  vulnerability in Microsoft Windows Server installations acting as DNS Servers.

Affected Operating Systems

All Windows and Windows Server Operating Systems currently in support by Microsoft are affected by the vulnerability. Therefore, Microsoft has released a security update to resolve the vulnerability for:

  • Windows Server 2008 with Service Pack 2
  • Windows Server 2008 x64 with Service Pack 2
  • Windows Server 2008 for Itanium-based Systems with Service Pack 2
  • Windows Server 2008 R2
  • Windows Server 2008 R2 for Itanium-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2

On all the above platforms, the vulnerability is rated Critical.

Update 3100465

Using Windows Update, Windows Server Update Services, System Center Configuration Manager, Intune, or your 3rd party update solution, install the KB3100456.

Prerequisites

On Windows Server 2012 R2 update KB2919355 April 2014 Cumulative update needs to be installed.

Known Issues

If you install a language pack after you install this update, you must reinstall this update.

Restart

A system restart is required after you apply this security update.

Workarounds

No workarounds have been identified for this vulnerability.

 

Call to action

Microsoft has not identified any mitigating factors , so I urge you to install KB3100456  on Windows Servers acting as DNS Servers in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to all Windows Server acting as DNS Servers in the production environment.

Related KnowledgeBase Articles

3100465 Security update for Microsoft Windows DNS to address remote code execution: December 8, 2015

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.