Microsoft released an update on July 14 2020 for CVE-2020-1350 , a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected.
Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.
The following article includes a registry based Workaround if a restart to the system is not possible:
The following query is useful in finding and reporting Vulnerable systems in your network:
Query |
WITH vulnerable AS ( SELECT 'CVE-2020-1350' AS id, CASE WHEN Count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END os_vulnerable FROM os_version WHERE major >= 6 AND codename LIKE '%Server%' ), installed AS ( SELECT 'CVE-2020-1350' AS id, CASE WHEN Count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END dns_installed FROM services WHERE NAME = 'DNS' ), workaround AS ( SELECT 'CVE-2020-1350' AS id, CASE WHEN Count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END workaround_configured FROM registry WHERE KEY = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters' AND NAME = 'TcpReceivePacketSize' AND Cast(data AS INT) <= 65280 ), patched AS ( SELECT 'CVE-2020-1350' AS id, CASE WHEN Count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END is_patched FROM patches WHERE hotfix_id IN ( 'KB4558998', 'KB4565483', 'KB4565503', 'KB4565511', 'KB4565524', 'KB4565529', 'KB4565535', 'KB4565536', 'KB4565537', 'KB4565539', 'KB4565540', 'KB4565541' ) ) SELECT * FROM vulnerable JOIN installed using (id), workaround using (id), patched using (id) |
The Above query will check for CVE validation and if the Workaround was implemented for your Server. Here is a sample output from a vulnerable system
id: Represents the Vulnerability name
Os_vulnerable: TRUE if the CVE exists, FALSE if the server is patched or DNS not installed.
Dns_installed: TRUE if installed, FALSE if DNS not installed.
Workaround_configured: TRUE if registry workaround is configured, FALSE if no workaround configured.
is_patched: TRUE if latest patches and updates are installed for the vulnerability, FALSE if update is pending
Please send us an email at support@uptycs.com for any issues.