Security Alert: Microsoft DNS Server Remote Code Vulnerability
Date:
2020-07-15 04:11:00
Status:
Closed
Brief Description:
Microsoft disclosed vulnerability: CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability A remote attacker could exploit this vulnerability to execute remote code on a vulnerable Windows DNS server. Updates and a workaround are available.
Current Status:
N/A
Services Affected:
Not Applicable
Full Description:
Microsoft disclosed vulnerability: CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability A remote attacker could exploit this vulnerability to execute remote code on a vulnerable Windows DNS server. Updates and a workaround are available.
This vulnerability also known as "SIGRed", allows an attacker who successfully exploits the vulnerability to run arbitrary code in the context of the Local System Account and can therefore could be granted Domain Administrator rights. Microsoft considers this vulnerability to be "wormable", in that it can be easily spread from server to server without user interaction. Windows Server 2003 through 2019, that are functioning as DNS servers, are affected by this vulnerability. Security updates and a workaround have been released for supported versions of Windows Server. Windows Desktop clients are not affected by this vulnerability.
The IT Security Office recommend immediate patching of all vulnerable systems. In the event that immediate patching is not possible, there is a workaround via the Windows' System Registry to restrict the size of the largest inbound TCP-based DNS response packet allowed. The steps to install relevant security updates or implement the workaround are outlined in the external links below.
For customers of CIT's Managed Server Service - the security patch is already available to all customers. The Managed Server Team will be issuing their own statement.
External Links to more information:
Microsoft Security Advisory - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
Microsoft workaround guidance - https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability
Check Point Research - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
This vulnerability also known as "SIGRed", allows an attacker who successfully exploits the vulnerability to run arbitrary code in the context of the Local System Account and can therefore could be granted Domain Administrator rights. Microsoft considers this vulnerability to be "wormable", in that it can be easily spread from server to server without user interaction. Windows Server 2003 through 2019, that are functioning as DNS servers, are affected by this vulnerability. Security updates and a workaround have been released for supported versions of Windows Server. Windows Desktop clients are not affected by this vulnerability.
The IT Security Office recommend immediate patching of all vulnerable systems. In the event that immediate patching is not possible, there is a workaround via the Windows' System Registry to restrict the size of the largest inbound TCP-based DNS response packet allowed. The steps to install relevant security updates or implement the workaround are outlined in the external links below.
For customers of CIT's Managed Server Service - the security patch is already available to all customers. The Managed Server Team will be issuing their own statement.
External Links to more information:
Microsoft Security Advisory - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
Microsoft workaround guidance - https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability
Check Point Research - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/