The March 2021 Cumulative Update addresses seven Windows Server DNS vulnerabilities

Windows Server

Today, for its March 2021 Patch Tuesday, Microsoft released a security update that addresses seven vulnerabilities in DNS Servers running Windows Server:

About the vulnerabilities

The vulnerabilities are described as followed:

  

CVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability Critical

A remote code execution vulnerability, identified as CVE-2021-26877, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 9.8/8.5.

The vulnerability was discovered by Microsoft Platform Security & Vulnerability Research.

CVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability Critical

A remote code execution vulnerability, identified as CVE-2021-26893, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 9.8/8.5.

The vulnerability was discovered by Nicolas Joly of Microsoft.

Windows Server installations dating back to Windows Server 2008, that are configured as DNS servers with dynamic updates are at risk from this vulnerability. Both Server Core and Full installations of Windows Server are affected. The recently released Windows Server version 20H2 is also vulnerable.

CVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability Critical

A remote code execution vulnerability, identified as CVE-2021-26894, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 9.8/8.5.

The vulnerability was discovered by Nicolas Joly of Microsoft.

CVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability Critical

A remote code execution vulnerability, identified as CVE-2021-26895, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 9.8/8.5.

The vulnerability was discovered by Nicolas Joly of Microsoft.

 

CVE-2021-26896 Windows DNS Server Denial of Service Vulnerability

A denial of service vulnerability, identified as CVE-2021-26896, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could disrupt DNS services. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 7.5/6.5.

CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability Critical

A remote code execution vulnerability, identified as CVE-2021-26897, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 9.8/8.5.

CVE-2021-27063 Windows DNS Server Denial of Service Vulnerability

A denial of service vulnerability, identified as CVE-2021-27063, exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could disrupt DNS services. To be vulnerable, the DNS server would need to have dynamic updates enabled. The vulnerability is rated with a CVSv3 score of 7.5/6.5.

Affected Operating Systems

Windows Server installations dating back to Windows Server 2008, that are configured as DNS servers with dynamic updates are at risk from this vulnerability. Both Server Core and Full installations of Windows Server are affected. The recently released Windows Server version 20H2 is also vulnerable.

Mitigations

Enabling Secure Zone Updates constrains the potential sources of attacks on the above vulnerabilities, but does not completely prevent it. For example, a malicious insider could attack a secure zone update DNS server from a domain-joined computer. Hence, enabling Secure Zone Updates provides only a partial mitigation.

This vulnerability impacts any DNS server, both standalone DNS primary authoritative servers and DNS servers that are integrated with Active Directory. The surrounding configuration can limit possible vectors and sources for the attack, but proper mitigation requires this month’s security update patch.

Call to Action

I urge you to install the necessary security updates on Windows Server installations, running as (Active Directory Domain Controllers and) DNS servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.

FURTHER READING

Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078) 
Windows DNS Server RCE Vulnerability (SIGred, Wormable, Critical, CVE-2020-1350) DNS Server Heap Overflow Vulnerability could allow RCE (Critical, CVE-2018-8626)
Vulnerability in DNS Server could allow RCE (Critical, CVE-2016-3227)
Security Update for DNS Server to Address RCE (Critical, CVE-2015-6125)

2 Responses to The March 2021 Cumulative Update addresses seven Windows Server DNS vulnerabilities

  1.  

    Thanks Sander! If a organization uses a 3rd party DNS server, but still has DNS running on their Windows AD domain controllers as forwarders (the DCs host no zones at all, and just forward to the 3rd appliance) would they not be vulnerable?

    • Hi Trey,

      All seven vulnerabilities exist in the dynamic updates functionality.
      This functionality is enabled by default on new DNS zones, but as the Windows Server-based DNS servers have no zones configured, the functionality would not be offered.
      The Windows Server-based DNS servers would not be vulnerable to attacks targeting these seven vulnerabilities.

      However, be sure you have the February 2021 cumulative update installed to remedy CVE-2021-24078.

       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.