Windows DNS Server Remote Code Execution Vulnerability (SIGred, Wormable, Critical, CVE-2020-1350)

Windows Server

Yesterday, Microsoft released updates for all supported versions of Windows and Windows Server to address a remote code execution vulnerability in DNS Server, marked as critical. Its official common vulnerabilities and exposures (CVE) id is CVE-2020-1350.

                                                                                                                                   

About the vulnerability

A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.

Microsoft considers this vulnerability to be wormable, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

Affected Operating Systems

Windows Server installation dating back to Windows Server 2008, that are configured as DNS servers are at risk from this vulnerability. Both Server Core and Full installations of Windows Server are affected. The recently released Windows Server version 2004 is also vulnerable.

The vulnerability stems from a flaw in Microsoft’s DNS server implementation and is not the result of a protocol level flaw, so it does not affect any other non-Microsoft DNS server implementations. If your organization utilizes Domain Controllers, but also Infoblox for DNS, for example, this vulnerability does not affect the Domain Controllers in your organization.

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

                                                                                                                                   

Addressing the vulnerability

There are two ways to address the vulnerability:

  1. Apply updates
  2. Add a registry key

Microsoft recommends everyone who manages Windows Server-based DNS servers to install the security update as soon as possible. However, if you are unable to apply the patch right away, Microsoft recommends that you use the workaround as soon as possible to protect your environment in the time before you install the updates.

                                                                                                                                   

Update

These updates addresses the vulnerability by modifying how Windows DNS servers handle requests:

  • KB4565529 for for 32bit and 64bit installations of Windows Server 2008 with SP2
  • KB4565539 for 32bit and 64bit installations of Windows Server 2008 R2 with SP1
  • KB4565535 for 32bit and 64bit installations of Windows Server 2012
  • KB4565540 for Windows Server 2012 R2
  • KB4565511 for Windows Server 2016
  • KB4558998 for Windows Server 2019

                                                                                                                                   

Workaround

As an alternative to installing the above updates, Microsoft also provides a workaround. A registry modification can be made as a workaround for this vulnerability.

The below lines of Windows PowerShell add the registry value, and restart the DNS Server service, if run from an elevated Windows PowerShell window::

$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

New-ItemProperty -Path $RegPath -Name TcpReceivePacketSize -Value 0xFF00 -PropertyType DWORD

Restart-Service DNS

To roll back the temporary registry key, after applying the update, run the following lines of Windows PowerShell in an elevated Windows PowerShell window:

$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

Remove-ItemProperty -Path $RegPath -Name TcpReceivePacketSize

Restart-Service DNS

Concluding

This might be the one. Expect Code Red-type fallout. The vulnerability that hits hard, because of the perfect conditions; It’s the holiday season. It’s wormable. Company devices are out on the Internet, connecting back through VPNs. Checkpoint released their write-up and Proof of Concept within hours of the update.

3 Responses to Windows DNS Server Remote Code Execution Vulnerability (SIGred, Wormable, Critical, CVE-2020-1350)

  1.  

    Applying the update is not possible on 2008R2 from what many have found:
    https://www.reddit.com/r/sysadmin/comments/hru0ra/anyone_having_issue_installing_the_patch_for_the/

  2.  

    can anyone advise if the workaround works?
    or how to confirm it indeed solve the DNS vulnerability ?
    does it survive a reboot of the Server ?

    thanks

    • Hi John,

      The workaround limits the network packet size for the DNS service. The workaround can help prevent the vulnerability from being exploited. It might help DNS servers from getting abused in the specific way shown by CheckPoint, but there may be other ways to abuse the vulnerability or related vulnerabilities. In my opinion, the workaround can buy your organization the hours or days to plan, functionally test and technically accept the update on your DNS Server and/or Domain Controllers.

      The registry values shown survive a reboot. The registry values can be safely removed after you apply the update.

       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.