On Tuesday, July 14, 2020, Microsoft released a patch for a 17-year-old remote code execution (RCE) vulnerability in Windows Domain Name System (DNS) servers discovered by Check Point researchers—and disclosed in CVE-2020-1350. While there is a patch, organizations that are able to can quickly deploy the following registry entry to all Microsoft DNS servers to help block any in-development/in-use exploits:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters DWORD = TcpReceivePacketSize Value = 0xFF00
Rapid7 strongly encourages all organizations running Microsoft DNS (i.e., every organization using Active Directory, so, literally, pretty much every organization) to deploy the mitigation and patch as quickly as possible as systems all the way back to Server 2003 are impacted.
Organizations that have the ability to analyze DNS requests should also configure detection technologies to flag anomalous use of SIG record queries (more on “why?” in the Extended Analysis).
This vulnerability only impacts Microsoft DNS servers.
Extended analysis of CVE-2020-1350
This Windows DNS server RCE vulnerability is currently rated 10.0, and Microsoft noted that this weakness was wormable, but that may not tell the full story. As Rapid7’s own Grant Willcox noted in the AttackerKB assessment:
"This is rather odd to me. 0xFF00 looks like a potential mitigation against an integer overflow, as it's possible the vulnerability stems from any packets being over 0xFFFF causing an integer overflow in memory, resulting in the allocation of a very small amount of memory to hold a very large buffer. ..
Support the originator by clicking the read the rest link below.
: What You Need to Know){kind=link}