Security Thoughts: Vulnerability in DNS Server could allow remote code execution (MS16-071, KB3164065, CVE-2016-3227)

Reading Time: 2 minutes

Yesterday, Microsoft released update KB3161951 as part of its June 2016 Patch Tuesday to address a critical use after free vulnerability that affects DNS Servers running Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016 Technical Previews.


About the vulnerability

A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows Server installations that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, as described in CVE-2016-3227, an unauthenticated attacker could send malicious requests to a Windows Server-based DNS server, referencing system memory after it has been freed by the DNS Server process.

The vulnerability was disclosed non-publicly to Microsoft. Microsoft has rated the vulnerability as critical.


About the update

Update KB3161951 addresses the vulnerability by modifying how Windows DNS servers handle requests.

Affected Operating Systems

Both Full installations and Server Core installations of the following Windows Server Operating Systems are affected:

  • Windows Server 2012 R2 Datacenter
  • Windows Server 2012 R2 Standard
  • Windows Server 2012 R2 Essentials
  • Windows Server 2012 R2 Foundation
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Standard
  • Windows Server 2012 Essentials
  • Windows Server 2012 Foundation

A system restart is required after you apply this security update.

Update KB3161951 replaces update KB3100465.

Mitigating factors

Microsoft has not identified any mitigating factors for this vulnerability.


Microsoft has not identified any workarounds for this vulnerability.


Call to action

Microsoft has not identified any mitigating factors or workarounds, so I urge you to install KB3161951 on DNS Servers in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to DNS Servers in the production environment.

Related blogposts

Security Thoughts: Security Update for DNS Server to Address Remote Code Execution (MS15-127, KB3100465, CVE-2015-6125, Critical)

Related KnowledgeBase articles

3164065 MS16-071: Security update for Microsoft Windows DNS Server: June 14, 2016

Further reading

CWE-416: Use After Free 
Nationaal Cyber Security Centrum: MS16-071: Microsoft verhelpt kwetsbaarheid in Microsoft Windows DNS Dutch
Qualys Microsoft Security Bulletin: June 14

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.