CVE-2020-1350: Windows DNS Server Remote Code Execution Vulnerability

Overview

Severity

Critical (CVSS 10)

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

More Likely

Patch Tuesday

2020-Jul

Released

2020-07-14

Last Updated

2020-07-28

EPSS Score

93.81% (percentile: 99.9%)

CISA KEV

Listed — due 2022-05-03

Description

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server. The update addresses the vulnerability by modifying how Windows DNS servers handle requests.

FAQ

This vulnerability has a CVSS Base score of 10. How bad is this? We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts. Are any other non-Microsoft DNS server implementations impacted by this vulnerability? The vulnerability stems from a flaw in Microsoft’s DNS server implementation and is not the result of a protocol level flaw, so it does not affect any other non-Microsoft DNS server implementations. Under what circumstances would I consider using the registry key workaround? Microsoft recommends everyone who runs DNS servers to install the security update as soon as possible. However, if you are unable to apply the patch right away, Microsoft recommends that you use the workaround as soon as possible to protect your environment in the time before you install the updates. Is the Windows DNS client affected by this vulnerability? No, the vulnerability only affects Microsoft's Windows DNS Server implementation, so the Windows DNS client is not affected. Are internal, non-public facing DNS servers also vulnerable? Yes, Internally facing DNS servers are also affected because the vulnerability occurs when a server processes a maliciously crafted response and this can be triggered by any client name request. Are all Windows Servers affected by this vulnerability? No. Only Windows servers that are configured as DNS servers are affected by this vulnerability.

Known Exploits (7)

• Microsoft Windows DNS Server Remote Code Execution Vulnerability — added 2021-07-03T10:44:02+08:00
• Microsoft Windows DNS Server Remote Code Execution Vulnerability — added 2021-02-27T20:31:39Z
• Microsoft Windows DNS Server Remote Code Execution Vulnerability — added 2020-09-02T15:37:27+08:00
• Microsoft Windows DNS Server Remote Code Execution Vulnerability — added 2020-08-01T00:57:49+08:00
• Microsoft Windows DNS Server Remote Code Execution Vulnerability — added 2020-07-17T05:41:19Z
• Microsoft Windows DNS Server Remote Code Execution Vulnerability — added 2020-07-16T16:46:48Z
• Microsoft Windows DNS Server Remote Code Execution Vulnerability — added 2020-07-15T23:00:00Z

Detection & Weaponization (2 sources)

Maturity: Detection

• Sigma rules: DNS RCE CVE-2020-1350
• GitHub PoC: 15 repositories

Affected Products (17)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

ESU

• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Security Updates (12)

• 4558998
• 4565483
• 4565503
• 4565511
• 4565536
• 4565529
• 4565524
• 4565539
• 4565537
• 4565535
• 4565541
• 4565540

Acknowledgments

Sagi Tzadik and Eyal Itkin from Check Point Research

Revision History

• 2020-07-14: Information published.
• 2020-07-15: Added an FAQ. This is an information change only.
• 2020-07-28: Added an FAQ. This is an information change only.