Today, for its February 2021 Patch Tuesday, Microsoft released a critical security update for DNS Servers running Windows Server. This vulnerability is known as CVE-2021-24078 and rated with CVSSv3.0 scores of 9.8/8.5.

A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network.

Disclosure

The vulnerability was responsibly disclosed to Microsoft by Quan Luo from Codesafe Team of Legendsec at Qi'anxin Group.

AFFECTED OPERATING SYSTEMS

Windows Server installation dating back to Windows Server 2008, that are configured as DNS servers are at risk from this vulnerability. Both Server Core and Full installations of Windows Server are affected. The recently released Windows Server version 20H2 is also vulnerable.

MITIGATIONS

Microsoft has not identified any mitigating factors for this vulnerability.

Call to Action

I urge you to install the necessary security updates on Windows Server installations, running as (Active Directory Domain Controllers and) DNS servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.

Further reading

Windows DNS Server RCE Vulnerability (SIGred, Wormable, Critical, CVE-2020-1350)  DNS Server Heap Overflow Vulnerability could allow RCE (Critical, CVE-2018-8626)
Vulnerability in DNS Server could allow RCE (Critical, CVE-2016-3227)
Security Update for DNS Server to Address RCE (Critical, CVE-2015-6125)