Spoofing Vulnerability in DNS Resolver (SAD DNS, Important, CVE-2020-25705, ADV200013)

Windows Server

On December 8th, 2020, Microsoft issued an advisory for a spoofing vulnerability in the DNS Resolver component.

Microsoft refers to the advisory as ADV200013. BleepingComputer.com references CVE-2020-25705 in relationship to this vulnerability. In the advisory notice, Microsoft guides DNS admins to limit the DNS UDP packet size to stop DNS cache poisoning attacks leveraging this vulnerability in their tracks.

After the registry update, the DNS resolver will switch to TCP for all responses larger than 1,221 bytes, automatically blocking these types of attacks.


About the vulnerability

The addressing spoofing vulnerability, tracked as CVE-2020-25705 and nicknamed SAD DNS (Side-channel AttackeD DNS), exists in the Windows DNS resolver component that comes bundled with the Windows Transmission Control Protocol/Internet Protocol (TCP/IP) stack:

Microsoft is aware of a vulnerability involving DNS cache poisoning caused by IP fragmentation that affects Windows DNS Resolver.
An attacker who successfully exploited this vulnerability could spoof the DNS packet which can be cached by the DNS Forwarder or the DNS Resolver.

Successfully exploiting the vulnerability could allow attackers to use modified DNS records to redirect a target to a malicious website under their control as part of DNS spoofing (also known as DNS cache poisoning) attacks.

Affected Operating Systems

The security advisory is applicable for the following Microsoft Operating Systems:

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server, version 1903
  • Windows Server, version 1909
  • Windows Server, version 2004
  • Windows Server, version 20H2


Addressing the vulnerability

To mitigate this vulnerability, DNS admins should alter the Registry to change the maximum UDP packet size to 1,221 bytes, which would block any DNS cache poisoning attacks attempting to exploit it on vulnerable Windows Server-based DNS servers.

To do so, admins may perform the following lines of Windows PowerShell in an elevated PowerShell window or remote session on all Windows Server installations, running as DNS servers:

$RegPath = "HKLM:\System\CurrentControlSet\Services\DNS\Parameters"

New-ItemProperty -Path $RegPath -Name MaximumUdpPacketSize `
-Value 1221 -PropertyType DWORD –Force

Restart-Service DNS


Call to Action

I urge you to perform the above steps on Windows Server installations, running as (Active Directory Domain Controllers and) DNS servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.

Further reading

The September 2020 Patch Tuesday addresses five important vulnerabilities for Domain Controllers running as DNS Servers
Windows DNS Server Remote Code Execution Vulnerability (SIGred, Critical, CVE-2020-1350)
DNS Server Heap Overflow Vulnerability could allow Remote Code Execution (Critical, CVE-2018-8626)  
Vulnerability in DNS Server could allow remote code execution (MS16-071, KB3164065, CVE-2016-3227)
Security Update for DNS Server to Address Remote Code Execution (MS15-127, KB3100465, CVE-2015-6125, Critical)

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.