DataBank Security Bulletin: Microsoft Windows DNS Server
On July 14, 2020, Microsoft published a security update guide for a Windows vulnerability in Microsoft Domain Name System (DNS) Server. Domain Name Servers are the “yellow pages” of the Internet that translate IP addresses into plain language names and vice-versa. This vulnerability has been designated Common Vulnerabilities and Exposures (CVE) number CVE-2020-1350.
The CVE-2020-1350 describes this vulnerability as one where Windows DNS servers can fail to properly handle translation requests in such a way that could be exploited.
In summary, an attacker could send a malicious request to the vulnerable Windows DNS server and then execute commands or run scripts and programs on that server with security privileges similar to the local Administrator account.
How bad is this vulnerability?
Given what is publicly known about this vulnerability and what has been learned from analysis, this vulnerability has been given a Common Vulnerability Scoring System (CVSS) base score of 10.0, which indicates this vulnerability is critical (10.0 is the highest level of criticality a vulnerability can be scored as). Also, as of July 20, 2020, a proof of concept denial of service (DoS) exploit that takes advantage of this vulnerability has been released.
The US government Cybersecurity & Infrastructure Security Agency (CISA) has also issued Emergency Directive 20-03 regarding this vulnerability. CISA “strongly recommends state and local governments, the private sector, and others patch this critical vulnerability as soon as possible.”
Are my systems at risk?
This vulnerability affects all versions of Windows Server with the DNS role enabled (NOTE: this includes all Windows Domain Controllers (DCs) as the DNS role is required in order to be a DC). This vulnerability is now widely known, and Microsoft considers this vulnerability likely to be exploited.
If you have domain controllers or regular Windows servers that are running DNS, then you are likely at risk without the proper patching. Your risk may be mitigated by other controls such as firewall rules, IPS systems, or other security controls.
What action can I take? What is recommended?
According to Microsoft, there are two ways of mitigating this vulnerability:
1. Workaround: Make a small registry modification
2. Patch: Install the available Windows Update patch for your version of Windows Server
There is some amount of inherent risk in modifying the Windows registry, however, this workaround has the benefit of only requiring a restart of the DNS services on the server to take effect. The Windows Update patch is the simpler and less risky option but will require a server reboot for the patch to take effect.
If you are a DataBank Managed Services customer, DataBank has patched your systems on the weekend of July 17-20.
If you are not a DataBank Managed Services customer, we highly recommend that you evaluate this patch and your risk immediately.
Microsoft has released update patches to remediate this vulnerability for all Windows Server versions from Windows Server 2008 SP2 through Windows Server 2019 (as well as Windows Server, versions 1903, 1909, and 2004). Those patches should distribute to Windows Servers running Windows Update; however, it is strongly recommended to validate this and ensure your Windows Servers have the patch installed.
While it is recommended that Windows Servers with the DNS role enabled be the first Windows servers in your environment to get either the workaround or the patch, all Windows Servers should get patched because of the possibility that the DNS role could get enabled on other servers at some point in the future.
See here for details on the workaround and a listing of Windows Update patches available for each version of Windows Server.
Microsoft Security Response Center (MSRC) publication
NIST National Vulnerability Database (NVD)
Cybersecurity & Infrastructure Security Agency (CISA) bulletin
Microsoft Windows Dev Center