SigRed: CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability

Description

The Microsoft Patch Tuesday release for July 14, 2020 contains (123) reported disclosures. This month's release has one critical vulnerability in Microsoft Windows Server (CVE-2020-1350) that allows for remote code execution by an unauthenticated attacker. It also has been confirmed by Microsoft to be wormable; devoid of user interaction.


What are the specifics of the vulnerability?

Microsoft Windows Server can be attacked by an unauthenticated attacker sending malicious DNS requests to a Windows DNS server. The vulnerability results from a flaw in Microsoft's DNS server role implementation and affects all Windows Server versions. The vulnerability potentially allows for an attacker to run arbitrary code as a Local System Account. Because the Windows DNS service is running as SYSTEM, an attacker can obtain Domain Administrator rights and ultimately gain elevated privileges; resulting in the potential compromise of an organization.


What versions of software are affected?

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)


Is this issue Windows Server (and Microsoft) specific?

Yes. This is a Microsoft Windows Server specific issue specific to Windows platforms.


Is the Microsoft Windows DNS client vulnerable to this issue?

No. Only Microsoft Windows Server versions are affected.


Have there been reports of in the wild exploitation?

No. Microsoft has not observed in the wild attacks exploiting CVE-2020-1350.


Any suggestions or mitigation/workarounds?

Because it has a CVSS score of 10 (Common Vulnerability Scoring System) and its possible wormable impact, FortiGuard Labs suggests that customers running affected Windows Server versions apply this month's updates as soon as possible. If not possible, it is recommended that those affected perform the necessary workarounds steps outlined by Microsoft below:

Workarounds

The following registry modification has been identified as a workaround for this vulnerability.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

DWORD = TcpReceivePacketSize

Value = 0xFF00

Note: A restart of the DNS Service is required to take effect.

Please see KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350 for more information.

To remove the workaround:

After applying the patch, the admin can remove the value TcpReceivePacketSize and its corresponding data so that everything else under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters remains as before.


What is the status of AV and IPS coverage?

Fortinet customers running the latest IPS definitions (15.886) are protected against against CVE-2020-1350 by:

MS.Window.DNS.Server.SIG.Record.Parsing.Integer.Overflow

AV coverage is not feasible for this event.