Fri. Aug 7th, 2020

CVE-2020-1350: Windows DNS Server Worm-level remote code execution vulnerability alert

2 min read

The Microsoft security team announced a major security vulnerability in the Windows DNS server yesterday evening. The vulnerability has been disclosed by researchers in advance. The vulnerability number is CVE-2020-1350.

Microsoft has announced more details after fixing the vulnerability. Microsoft stated that the vulnerability can be infected by worms, that is, it can infect server systems without any interaction.

In the Common Vulnerability Scoring System (CVSS), Microsoft gave the vulnerability a score of 10 points, with a full score of 10 points, which can highlight the vulnerability of the vulnerability.

CVE-2020-5902

As a comparison, WannaCry’s Eternal Blue score is 8.5, and the Eternal Blue vulnerability has been quite scary, not to mention this 10-point DNS vulnerability.

The Windows DNS server is a core network component provided by Microsoft. With this component, companies can install a domain name resolution system and deploy multiple resolution strategies.

The high-risk security vulnerability that occurred this time was a mistake made by Microsoft in handling the role of the server. In fact, this vulnerability has been in existence for up to 17 years and has not been discovered.

When an attacker sends a specially-made request, it will affect the domain name resolution system and trigger a vulnerability. With this vulnerability, the attacker can remotely execute arbitrary code.

Therefore, the vulnerability only affects systems that deploy Windows Server as a DNS server. If the DNS server is not deployed, it will not be affected.

The vulnerability exists in all versions of the Windows Server server system, including

  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server version 1909 (Server Core installation)
  • Windows Server version 1903 (Server Core installation)
  • Windows Server version 2004 (Server Core installation)

For now, there is no evidence that an attacker has exploited the vulnerability, but it is imperative that all servers must immediately install the latest security updates.

If you install a security update, you need to restart the system. If your business cannot be interrupted, you can temporarily block the attack path through the registry.

To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

TcpReceivePacketSize

Value = 0xFF00

Note You must restart the DNS Service for the registry change to take effect.

  • The Default (also max) Value = 0xFFFF
  • The Recommended Value = 0xFF00 (255 bytes less than the max)