Query for CVE-2020-1350 Vulnerability for Windows Domain Name Systems

Microsoft released an update on July 14 2020 for CVE-2020-1350 , a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected. 

Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible. 

The following article includes a registry based Workaround if a restart to the system is not possible:

The following query is useful in finding and reporting Vulnerable systems in your network:

WITH vulnerable AS
       SELECT 'CVE-2020-1350' AS id,
                     WHEN Count(*) > 0 THEN 'TRUE'
                     ELSE 'FALSE'
              END os_vulnerable
       FROM   os_version
       WHERE  major >= 6
       AND    codename LIKE '%Server%' ), installed AS
       SELECT 'CVE-2020-1350' AS id,
                     WHEN Count(*) > 0 THEN 'TRUE'
                     ELSE 'FALSE'
              END dns_installed
       FROM   services
       WHERE  NAME = 'DNS' ), workaround AS
       SELECT 'CVE-2020-1350' AS id,
                     WHEN Count(*) > 0 THEN 'TRUE'
                     ELSE 'FALSE'
              END workaround_configured
       FROM   registry
       WHERE  KEY = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters'
       AND    NAME = 'TcpReceivePacketSize'
       AND    Cast(data AS INT) <= 65280 ), patched AS
       SELECT 'CVE-2020-1350' AS id,
                     WHEN Count(*) > 0 THEN 'TRUE'
                     ELSE 'FALSE'
              END is_patched
       FROM   patches
       WHERE  hotfix_id IN ( 'KB4558998',
                            'KB4565541' ) )
FROM   vulnerable
JOIN   installed
using  (id),
using  (id),
using  (id)

The Above query will check for CVE validation and if the Workaround was implemented for your Server.  Here is a sample output from a vulnerable system

id: Represents the Vulnerability name

Os_vulnerable: TRUE if the CVE exists, FALSE if the server is patched or DNS not installed.

Dns_installed: TRUE if installed, FALSE if DNS not installed.

Workaround_configured: TRUE if registry workaround is configured, FALSE if no workaround configured.

is_patched: TRUE if latest patches and updates are installed for the vulnerability, FALSE if update is pending

Please send us an email at for any issues.

    • Related Articles

    • Windows Disk Usage query

      The article includes query to fetch the Windows Disk usage: Query SELCET DISTINCT                 upt_hostname,                 upt_time,                 device_id,                 size,                 free_space,                 size - free_space ...
    • Windows Forensic Analysis queries

      This article includes a  list of queries to conduct forensic analysis on Windows systems.  These are categorized into sections as -      processes,      services,      file system activities,     user login/session activities,     network traffic.   ...
    • Query to find the Process Tree

      Query WITH pstree AS (SELECT 0 AS LEVEL, pid, name, parent, Cast(pid AS TEXT) AS ppid, name AS pparent FROM processes WHERE parent = 0 UNION ALL SELECT LEVEL + 1,,, t.parent, pstree.ppid || ', ' || Cast( AS TEXT), pstree.pparent || ...
    • Disk Usage Query (Linux and Darwin)

      This article includes the query used to find out the disk usage of a mount point for a particular host: Query SELECT m.upt_asset_id,  m.upt_time,  m.path,  Round(( ( m.blocks - m.blocks_available ) * m.blocks_size * 10e-10 ), 2)  AS  used_gigs  FROM ...
    • Query to find Processes delta between last 2 weeks

      Query WITH last_week_processes_cmds AS ( SELECT DISTINCT upt_asset_id, name, cmdline, path FROM processes WHERE upt_day >= Cast(Date_format(current_date - interval '14' day, '%Y%m%d') AS INTEGER) AND upt_day < Cast(Date_format(current_date - interval ...