Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350

  • 28,806
    people reacted
  • 40
  • < 1 min. read

By and

Category: Threat Brief, Unit 42

Tags: , , , , , , , , , , , ,

Threat brief conceptual image

This post is also available in: 日本語 (Japanese)

Executive Summary

In July 2020, Microsoft released a security update, CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability, for a new remote code execution (RCE) vulnerability.  

This vulnerability exists within the Microsoft Windows Domain Name System (DNS) Server due to the improper handling of certain types of requests, specifically over port 53/TCP. Exploitation of this vulnerability is possible by creating an integer overflow, potentially leading to remote code execution.

This vulnerability only affects Windows DNS and the following builds of the Microsoft Windows operating system (OS):

  • Windows Server 2008/2008 R2
  • Windows Server 2012/2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server version 1803/1903/1909/2004 (Server Core installation) 

Mitigation Actions

As always, we recommend our customers patch their systems as soon as possible. Microsoft also provided a workaround in cases where patches are not immediately possible. Please review KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350 for more details.  

Conclusion

Palo Alto Networks Threat Prevention and Cortex XDR provide protection against the exploitation of this vulnerability:

  • Cortex XDR:
    • Customers need to have PTU 137-33347 which adds dns.exe to the protected processes and it also applies the anti-exploit module on it. A list of all available protected processes can be found here. Note: This will prevent weaponized PoC's and not mitigate the crash PoC.  Cortex XDR clients will receive the updated content automatically from the cloud. On-prem customers should download this manually
  • Next-Generation Firewalls: 
    • The NGFW will prevent exploitation of the vulnerability by blocking overweight DNS SIG queries via the Palo Alto Networks Threat Prevention cloud-delivered security subscription. The relevant Threat ID is 58691.

Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.