Windows DNS Server

This is really a major issues for Active Directory Domain Controllers.
CVE-2020-1350 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

We can see there are 2,133 servers on Shodan that are exposed however this exploit doesn’t rely on exposure, a client request from inside the network to a malicious DNS server could be used to exploit the domain controller.

So basically, any Windows DNS server is vulnerable if it can forward requests to internet facing DNS services. There’s a workaround as well as deploying the patch (the workaround does not require a reboot but does require a DNS server service restart)

Given this is an RCE which likely affects domain controllers, mitigation or patching ASAP is advisable. The good news is there is currently no public exploit. The attackers also requires DNS infrastructure however that is hardly a barrier to entry for ransomare gangs and nation state actors.

And don’t forget this affects all version of Windows listed as 2003-2019 but you never know win2k might also be affected.

The workaround for this is as follows:

Workarounds

The following registry modification has been identified as a workaround for this vulnerability.

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 
  DWORD = TcpReceivePacketSize 
  Value = 0xFF00

Note: A restart of the DNS Service is required to take effect.

I’ve made a quick local workaround set of scripts, one is a batch file (why?) and one is PowerShell with a bit of detection logic. Use at own risk etc. (ideally patch)

https://github.com/mr-r3b00t/CVE-2020-1350

Fore more info on the vulnerability please see: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

Hyper-V RemoteFX vGPU

It’s my understanding these require specific configurations to be vulnerable.
CVE-2020-1040 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040
CVE-2020-1042 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1042
CVE-2020-1043 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1043
CVE-2020-1032 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1032
CVE-2020-1036 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036
CVE-2020-1041 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1041

.NET Framework, SharePoint Server, and Visual Studio

CVE-2020-1147 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147

DirectWrite

CVE-2020-1409 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1409

Windows Address Book

CVE-2020-1410 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1410

PerformancePoint Services

CVE-2020-1439 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1439

Microsoft Outlook

CVE-2020-1349 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1349

Remote Desktop Client

CVE-2020-1374 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1374

LNK

CVE-2020-1421 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1421

GDI+

CVE-2020-1435 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1435

Windows Font Library

CVE-2020-1436 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1436

VBScript

CVE-2020-1403 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1403

ADV200008

Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200008

Summary

Another month, another set of patches, it’s key to stay on top of patching as well as ensuring that your estate operates current and supported operating systems.

Leave a Reply

Your email address will not be published. Required fields are marked *