The July 2021 Patch Tuesday addresses twelve vulnerabilities for Domain Controllers running as DNS Servers

Windows Update

When looking at the July 2021 Patch Tuesday today, I noticed three updates that specifically address vulnerabilities in the DNS snap-in and nine vulnerabilities in DNS Server. These vulnerabilities are specific to Domain Controllers running DNS Server (in the default configuration), so this sparked my interest in these updates.

Three DNS Snap-in vulnerabilities

There are three vulnerabilities to the DNS Management snap-in.:

These three vulnerabilities all allow remote code execution on systems where an admin would manage Windows Server-based DNS servers. An attacker can exploit these vulnerabilities with a malicious DNS record. When the admin views the record, these vulnerabilities can be exploited over the network with low complexity.

All three vulnerabilities were responsibly disclosed by Yuki Chen.

Nine DNS Server vulnerabilities

On top of the DNS MMC Snap-in vulnerabilities, nine vulnerabilities were also addressed in the DNS server component itself:

Ranging from 6.5/5.7 tot 8.8/7.7 in CVS v3 scores, these updates are all important updates for Windows Server installations acting as DNS servers.

Eight of these nine vulnerabilities were responsibly disclosed by Yuki Chen. CVE-2021-34444, CVE-2021-34442 and CVE-2021-33745 are also attributed to Zhiyi Zhang, Liubenjin, Ting Yu and Strawberry. One vulnerability remains unattributed.

Affected Operating Systems

The above vulnerabilities exist in all supported Windows and Windows Server Operating Systems. Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms (except for CVE-2021-34525; this vulnerability only applies to Windows Server 2012 R2 and above).

For Windows Server 2016, the vulnerabilities are addressed with KB5004238.
For Windows Server 2019, the vulnerabilities are addressed with KB5004244.

For the DNS Snap-in vulnerabilities, fixes are also available for client Operating Systems.

Call to Action

I urge you to install the necessary security updates on Windows Server installations, running as (Active Directory Domain Controllers and) DNS servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.