CVE-2020-1350: Vulnerability in Windows DNS servers

Microsoft has reported the vulnerability CVE-2020-1350 in Windows DNS server. Bad news: The vulnerability scored 10 on the CVSS scale, which means it’s critical. Good news: Cybercriminals can exploit it only if the system is running in DNS server mode; in other words, the number of potentially vulnerable computers is relatively small. Moreover, the company has already released patches and a workaround.

What is the vulnerability, and how is it dangerous?

CVE-2020-1350 lets a malefactor force DNS servers running Windows Server to execute malicious code remotely. In other words, the vulnerability belongs to the RCE class. To exploit CVE-2020-1350, one just has to send a specially generated request to the DNS server.

Third-party code is then executed in the context of the LocalSystem account. This account has extensive privileges on the local computer, and it acts as a computer on the network. In addition, the security subsystem does not recognize the LocalSystem account. According to Microsoft, the main danger of the vulnerability is that it can be used to spread a threat over the local network; that is, it is classified as wormable.

Who is in the CVE-2020-1350 risk zone?

All versions of Windows Server are vulnerable, but only if running in DNS server mode. If your company does not have a DNS server, or uses a DNS server based on a different operating system, you have nothing to worry about.

Fortunately, the vulnerability was discovered by Check Point Research, and as yet no public information exists about how to exploit it. In addition, there is currently no evidence of CVE-2020-1350 having been exploited by attackers.

However, it is very likely that as soon as Microsoft recommended updating the system, cybercriminals began poring over vulnerable DNS servers and the released patches to work out how to exploit the vulnerability. No one should delay installing the patch.

What to do

As mentioned above, the best action is to install the Microsoft patch, which modifies the method of handling requests by DNS servers. The patch is available for Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server version 1903, Windows Server version 1909, and Windows Server version 2004. You can download it from the Microsoft page dedicated to this vulnerability.

However, some large companies have internal rules and an established routine for software updates, and their system administrators might not be able to install the patch immediately. To prevent DNS servers from being compromised in such cases, the company also proposed a workaround. It involves making the following changes to the system registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00

After saving the changes, you’ll need to restart the server. Note that this workaround can potentially lead to incorrect server operation in the rare case that the server receives a TCP packet larger than 65,280 bytes, so Microsoft recommends deleting the TcpReceivePacketSize key and its value, and returning the registry entry to its original state, once the patch is eventually installed.

From our side, we want to remind you that the DNS server running in your infrastructure is a computer, same as any other endpoint. They also can have vulnerabilities that cybercriminals can try to exploit. Therefore, like any other endpoint on the network, it requires a security solution, such as Kaspersky Endpoint Security for Business.