Threat Signal Report

SigRed: CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability

Description

The Microsoft Patch Tuesday release for July 14, 2020 contains (123) reported disclosures. This month's release has one critical vulnerability in Microsoft Windows Server (CVE-2020-1350) that allows for remote code execution by an unauthenticated attacker. It also has been confirmed by Microsoft to be wormable; devoid of user interaction.


What are the specifics of the vulnerability?

Microsoft Windows Server can be attacked by an unauthenticated attacker sending malicious DNS requests to a Windows DNS server. The vulnerability results from a flaw in Microsoft's DNS server role implementation and affects all Windows Server versions. The vulnerability potentially allows for an attacker to run arbitrary code as a Local System Account. Because the Windows DNS service is running as SYSTEM, an attacker can obtain Domain Administrator rights and ultimately gain elevated privileges; resulting in the potential compromise of an organization.


What versions of software are affected?

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)


Is this issue Windows Server (and Microsoft) specific?

Yes. This is a Microsoft Windows Server specific issue specific to Windows platforms.


Is the Microsoft Windows DNS client vulnerable to this issue?

No. Only Microsoft Windows Server versions are affected.


Have there been reports of in the wild exploitation?

No. Microsoft has not observed in the wild attacks exploiting CVE-2020-1350.


Any suggestions or mitigation/workarounds?

Because it has a CVSS score of 10 (Common Vulnerability Scoring System) and its possible wormable impact, FortiGuard Labs suggests that customers running affected Windows Server versions apply this month's updates as soon as possible. If not possible, it is recommended that those affected perform the necessary workarounds steps outlined by Microsoft below:

Workarounds

The following registry modification has been identified as a workaround for this vulnerability.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

DWORD = TcpReceivePacketSize

Value = 0xFF00

Note: A restart of the DNS Service is required to take effect.

Please see KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350 for more information.

To remove the workaround:

After applying the patch, the admin can remove the value TcpReceivePacketSize and its corresponding data so that everything else under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters remains as before.


What is the status of AV and IPS coverage?

Fortinet customers running the latest IPS definitions (15.886) are protected against against CVE-2020-1350 by:

MS.Window.DNS.Server.SIG.Record.Parsing.Integer.Overflow

AV coverage is not feasible for this event.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.