This information is intended for U-M IT staff who are responsible for Windows Domain Name System (DNS) servers.
Summary
Microsoft has provided an update to address a critical Remote Code Execution (RCE) vulnerability that affects Windows servers configured to run the DNS Server role. This is a critical vulnerability in Windows DNS Server, a core networking component. This vulnerability has the potential to spread via malware between vulnerable computers without user interaction (it is a "wormable" vulnerability). Apply the update as soon as possible after appropriate testing.
Problem
A flaw in Microsoft’s DNS server implementation that affects all Windows Server versions allows a buffer overflow to be exploited for remote code execution. The vulnerability is wormable and could propagate automatically to vulnerable machines on the network with no user interaction. Non-Microsoft DNS Servers are not affected.
Affected Systems
All Windows Server versions with Microsoft’s DNS server role implemented.
Action Items
Apply the update or mitigate as soon as possible after appropriate testing. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
A workaround to address this vulnerability is to make a registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed. For the workaround details, see KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350.
Please continue to monitor this alert on Safe Computing for updates.
Threats
Microsoft has no evidence of active exploitation of this vulnerability in the wild. It is wormable and could propagate automatically to vulnerable machines on the network with no user interaction.
Technical Details
CVE-2020-1350 is a wormable, critical vulnerability in the Windows DNS server that can be triggered by a malicious DNS response.
How We Protect U-M
- Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
Information for Users
This vulnerability affects servers, not personal computers. Most users do not need to do anything.
References
- July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server (Microsoft, 7/14/20)
- Guidance for DNS Server Vulnerability CVE-2020-1350 (Microsoft, 7/14/20)
- Microsoft patches critical wormable SigRed bug in Windows DNS Server (Bleeping Computer, 7/14/20)
- 17-Year-Old Critical 'Wormable' RCE Vulnerability Impacts Windows DNS Servers (The Hacker News, 7/14/20)
- SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers (Check Point Research, 7/14/20)