Security Alert: Exploitable Vulnerability in Windows DNS Servers

Microsoft announced today a series of patches to address CVE-2020-1350, a remote code execution vulnerability affecting Windows Servers running the DNS server role. Sending a malformed and malicious information block to an affected DNS server could allow an attacker to execute arbitrary code on the server. Because of the relative impact of this vulnerability and the relative ease with which the attack may be conducted, this vulnerability earns a disturbingly perfect 10.0 for a base CVSS score making it worthy of immediate attention. Here’s the primer: https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/

And, as usual, here’s our Q & A session: 

Q: Does this affect every Windows server? 

A: No. Although any Windows Server can run the DNS Server role, that role must be installed and configured first before the role is active and exploitable. However, the DNS Server role is always present on Windows Active Directory Domain Controllers (DCs), which are present in almost every enterprise environment. If you log onto a Windows domain, you have at least one Windows DNS Server. 

Q: Are Windows workstations affected? 

A: No. The Windows DNS Client service, which runs on all servers and workstations, is unaffected. Only the DNS Server component is susceptible to attack. 

Q: Is this a Zero-Day Vulnerability where exploits are already in progress? 

A: No. As of this writing, there have been no known public exploits of this vulnerability. However, eventual public exploit seems likely. This is a serious security flaw that will hold us accountable for our security practices one way or another. 

Q: What corrective action needs to be performed? 

A: Patches for Microsoft Servers that correct this vulnerability are available from Microsoft. Suite3 is evaluating and approving them for distribution. Patch delivery will begin early morning 7/15/2020. Clients who receive our automatic ManageSuite patch delivery services will see update rollouts starting tonight. 

There is also a non-patch workaround that’s fairly straightforward, however this workaround may result in unexpected behavior from the DNS server. Though we advise clients to wait until we roll out the update(s), the workaround is available here: https://support.microsoft.com/en-us/help/4569509 

Q: What’s the good news? 

A: Exploitation of the vulnerability requires that the attacker be able to submit DNS requests to your affected DNS servers, which usually means being on your LAN. Also, again, there’s no proof of a public exploit yet. Best-practices remain best-practice: Patch early and often, don’t open or run any documents or software you don’t trust, and make sure your backups are secure and isolated.

Updated: July 15, 2020 at 8:00am