Windows DNS Server
This is really a major issues for Active Directory Domain Controllers.
CVE-2020-1350 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
We can see there are 2,133 servers on Shodan that are exposed however this exploit doesn’t rely on exposure, a client request from inside the network to a malicious DNS server could be used to exploit the domain controller.
So basically, any Windows DNS server is vulnerable if it can forward requests to internet facing DNS services. There’s a workaround as well as deploying the patch (the workaround does not require a reboot but does require a DNS server service restart)
Given this is an RCE which likely affects domain controllers, mitigation or patching ASAP is advisable. The good news is there is currently no public exploit. The attackers also requires DNS infrastructure however that is hardly a barrier to entry for ransomare gangs and nation state actors.
And don’t forget this affects all version of Windows listed as 2003-2019 but you never know win2k might also be affected.
The workaround for this is as follows:
The following registry modification has been identified as a workaround for this vulnerability.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters DWORD = TcpReceivePacketSize Value = 0xFF00
Note: A restart of the DNS Service is required to take effect.
I’ve made a quick local workaround set of scripts, one is a batch file (why?) and one is PowerShell with a bit of detection logic. Use at own risk etc. (ideally patch)
Fore more info on the vulnerability please see: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
Hyper-V RemoteFX vGPU
It’s my understanding these require specific configurations to be vulnerable.
CVE-2020-1040 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040
CVE-2020-1042 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1042
CVE-2020-1043 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1043
CVE-2020-1032 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1032
CVE-2020-1036 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036
CVE-2020-1041 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1041
.NET Framework, SharePoint Server, and Visual Studio
Windows Address Book
Remote Desktop Client
Windows Font Library
Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200008
Another month, another set of patches, it’s key to stay on top of patching as well as ensuring that your estate operates current and supported operating systems.