Yesterday, Microsoft released update KB3161951 as part of its June 2016 Patch Tuesday to address a critical use after free vulnerability that affects DNS Servers running Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016 Technical Previews.
About the vulnerability
A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows Server installations that are configured as DNS servers are at risk from this vulnerability.
To exploit the vulnerability, as described in CVE-2016-3227, an unauthenticated attacker could send malicious requests to a Windows Server-based DNS server, referencing system memory after it has been freed by the DNS Server process.
The vulnerability was disclosed non-publicly to Microsoft. Microsoft has rated the vulnerability as critical.
About the update
Update KB3161951 addresses the vulnerability by modifying how Windows DNS servers handle requests.
Affected Operating Systems
Both Full installations and Server Core installations of the following Windows Server Operating Systems are affected:
- Windows Server 2012 R2 Datacenter
- Windows Server 2012 R2 Standard
- Windows Server 2012 R2 Essentials
- Windows Server 2012 R2 Foundation
- Windows Server 2012 Datacenter
- Windows Server 2012 Standard
- Windows Server 2012 Essentials
- Windows Server 2012 Foundation
A system restart is required after you apply this security update.
Update KB3161951 replaces update KB3100465.
Mitigating factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Call to action
Microsoft has not identified any mitigating factors or workarounds, so I urge you to install KB3161951 on DNS Servers in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to DNS Servers in the production environment.
Related blogposts
Related KnowledgeBase articles
3164065 MS16-071: Security update for Microsoft Windows DNS Server: June 14, 2016
Further reading
CWE-416: Use After Free
CVE-2016-3227
Nationaal Cyber Security Centrum: MS16-071: Microsoft verhelpt kwetsbaarheid in Microsoft Windows DNS Dutch
Qualys Microsoft Security Bulletin: June 14
Login