Iron Comet Consulting, Inc.

Critical Vulnerability in Microsoft Windows DNS Server Software

On July 14, 2020, Microsoft released a security bulletin detailing a wormable vulnerability in the DNS server software used in Windows servers. This is a critical vulnerability that should be patched immediately. The vulnerability has been around for 17 years but has only recently been found and a patch issued. It is extremely important that anyone using Windows Server with the DNS Server role. Patches are available for Server 2008, 2012, 2016, and 2019. Read on to learn more.

Critical vulnerability that allows for remote code execution

Windows DNS Server is at the very core of a Windows domain. DNS Server is required for Active Directory implementations so it is very likely that if you are using Windows Server in your practice or office, then you are using the DNS Server component. This vulnerability is so severe that the US Department of Homeland Security Cybersecurity & Infrastructure Security Agency (DHS CISA) ordered all agencies to install the patch or workaround with 24 hours.

Here is the official Microsoft CVE report for this vulnerability.

What does the vulnerability allow?

this vulnerability allows for malicious code to be executed on the Windows Server and then spread without user help. Most malware needs a user to help it move along by clicking on an attachment, visiting a phishing website, etc. But this vulnerability would allow malware to spread across a network without any user having to do anything. This would allow for rapid infection of a network because of this one flaw.

This is similar to the way the WannaCry ransomware spread in 2017. It used a vulnerability known as Eternal Blue that was also wormable. WannaCry infected over 230,000 computers worldwide on the day it was launched. This was due to the speed at which the malware moved through networks.

How can you fix it on your servers?

There are two ways to patch this on your servers. The first is to apply the patch issued by Microsoft. These can be downloaded here.

If you are unable to install the patch, you can also edit the registry for a workaround until such time you can install the patch.

Make the following registry change. This will restrict the size of the largest inbound TCP-based DNS response packet that’s allowed:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 

Value: TcpReceivePacketSize

Type: DWORD 

Value data: 0xFF00

The default (also maximum) Value data = 0xFFFF.

The DNS Service must be restarted for the registry change to take effect. You can do this from the Services applet in the Administrator’s Tools or run the following command as Administrator in a command prompt: net stop dns && net start dns

Please take this vulnerability seriously. It has the capacity to cause havoc on your network.