Query for CVE-2020-1350 Vulnerability for Windows Domain Name Systems
Microsoft released an update on July 14 2020 for CVE-2020-1350 , a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected.
Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.
The following article includes a registry based Workaround if a restart to the system is not possible:
The following query is useful in finding and reporting Vulnerable systems in your network:
| Query |
|
WITH vulnerable AS ( SELECT 'CVE-2020-1350' AS id, CASE WHEN Count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END os_vulnerable FROM os_version WHERE major >= 6 AND codename LIKE '%Server%' ), installed AS ( SELECT 'CVE-2020-1350' AS id, CASE WHEN Count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END dns_installed FROM services WHERE NAME = 'DNS' ), workaround AS ( SELECT 'CVE-2020-1350' AS id, CASE WHEN Count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END workaround_configured FROM registry WHERE KEY = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters' AND NAME = 'TcpReceivePacketSize' AND Cast(data AS INT) <= 65280 ), patched AS ( SELECT 'CVE-2020-1350' AS id, CASE WHEN Count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END is_patched FROM patches WHERE hotfix_id IN ( 'KB4558998', 'KB4565483', 'KB4565503', 'KB4565511', 'KB4565524', 'KB4565529', 'KB4565535', 'KB4565536', 'KB4565537', 'KB4565539', 'KB4565540', 'KB4565541' ) ) SELECT * FROM vulnerable JOIN installed using (id), workaround using (id), patched using (id) |
The Above query will check for CVE validation and if the Workaround was implemented for your Server. Here is a sample output from a vulnerable system
id: Represents the Vulnerability name
Os_vulnerable: TRUE if the CVE exists, FALSE if the server is patched or DNS not installed.
Dns_installed: TRUE if installed, FALSE if DNS not installed.
Workaround_configured: TRUE if registry workaround is configured, FALSE if no workaround configured.
is_patched: TRUE if latest patches and updates are installed for the vulnerability, FALSE if update is pending
Please send us an email at support@uptycs.com for any issues.
Related Articles
Windows Disk Usage query
The article includes query to fetch the Windows Disk usage: Query SELCET DISTINCT upt_hostname, upt_time, device_id, size, free_space, size - free_space ...Windows Forensic Analysis queries
This article includes a list of queries to conduct forensic analysis on Windows systems. These are categorized into sections as - processes, services, file system activities, user login/session activities, network traffic. ...Query to find the Process Tree
Query WITH pstree AS (SELECT 0 AS LEVEL, pid, name, parent, Cast(pid AS TEXT) AS ppid, name AS pparent FROM processes WHERE parent = 0 UNION ALL SELECT LEVEL + 1, t.pid, t.name, t.parent, pstree.ppid || ', ' || Cast(t.pid AS TEXT), pstree.pparent || ...Disk Usage Query (Linux and Darwin)
This article includes the query used to find out the disk usage of a mount point for a particular host: Query SELECT m.upt_asset_id, m.upt_time, m.path, Round(( ( m.blocks - m.blocks_available ) * m.blocks_size * 10e-10 ), 2) AS used_gigs FROM ...Query to find Processes delta between last 2 weeks
Query WITH last_week_processes_cmds AS ( SELECT DISTINCT upt_asset_id, name, cmdline, path FROM processes WHERE upt_day >= Cast(Date_format(current_date - interval '14' day, '%Y%m%d') AS INTEGER) AND upt_day < Cast(Date_format(current_date - interval ...