When looking at the April 2023 Patch Tuesday today, I noticed ten updates that specifically address vulnerabilities in DNS Server. These vulnerabilities are specific to Domain Controllers running DNS Server (in the default configuration), so this sparked my interest in these updates.

About the vulnerabilities

Nine DNS Server remote code execution vulnerabilities were addressed:

1. CVE-2023-28256 – Windows DNS Server Remote Code Execution Vulnerability CVSSv3 score 6.6/5.8
2. CVE-2023-28278 – Windows DNS Server Remote Code Execution Vulnerability CVSSv3 score 6.6/5.8
3. CVE-2023-28307 – Windows DNS Server Remote Code Execution Vulnerability CVSSv3 score 6.6/5.8
4. CVE-2023-28306 – Windows DNS Server Remote Code Execution Vulnerability CVSSv3 score 6.6/5.8
5. CVE-2023-28223 – Windows DNS Server Remote Code Execution Vulnerability CVSSv3 score 6.6/5.8
6. CVE-2023-28254 – Windows DNS Server Remote Code Execution Vulnerability CVSSv3 score 7.2/6.3
7. CVE-2023-28305 – Windows DNS Server Remote Code Execution Vulnerability CVSSv3 score 6.6/5.8
8. CVE-2023-28308 – Windows DNS Server Remote Code Execution Vulnerability CVSSv3 score 6.6/5.8
9. CVE-2023-28255 – Windows DNS Server Remote Code Execution Vulnerability CVSSv3 score 6.6/5.8

These vulnerabilities all allow remote code execution on systems Windows Server-based DNS servers over the network.

For seven of the above vulnerabilities, successful exploitation requires an adversary to win a race condition.  For eight of the above vulnerabilities, the adversary or targeted user would need specific elevated privileges. As is recommended practice, regular validation and audits of administrative groups should be conducted.

Additionally, one information disclosure vulnerability was addressed:

1. CVE-2023-28277 – Windows DNS Server Information Disclosure Vulnerability CVSSv3 score 4.9/4.3

The type of information that could be disclosed if an adversary successfully exploited this vulnerability is memory layout – the vulnerability allows an attacker to collect information that facilitates predicting addressing of the memory. Successful exploitation of this vulnerability requires the adversary or targeted user to have specific elevated privileges. As is best practice, regular validation and audits of administrative groups should be conducted.

Affected Operating Systems

Most of the above vulnerabilities exist in all supported Windows and Windows Server Operating Systems. Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms.

For CVE-2023-28277 specifically, only DNS servers that run on Windows Server 2022 are vulnerable.

Call to Action

I urge you to install the necessary security updates on Windows Server installations, running as (Active Directory Domain Controllers and) DNS servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.