Advertisement

Microsoft has patched a critical ‘wormable’ vulnerability in Windows DNS Server

Microsoft has announced a new patch that resolves a critical vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0.

Cloud Network Banner

Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.

Advertisеment

The patched vulnerability, CVE-2020-1350, is described by Microsoft as follows.

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

The update addresses the vulnerability by modifying how Windows DNS servers handle requests.

Customers with automatic updates turned on do not need to take any additional action, says Microsoft. The listed patches will fix it when installed.

If the update is not accessible, it is possible to mitigate the vulnerability with a Registry tweak.

To work around this vulnerability,

Make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

TcpReceivePacketSize

Value = 0xFF00

Note You must restart the DNS Service for the registry change to take effect.

  • The Default (also max) Value = 0xFFFF
  • The Recommended Value = 0xFF00 (255 bytes less than the max)

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Advertisеment

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

One thought on “Microsoft has patched a critical ‘wormable’ vulnerability in Windows DNS Server”

Leave a Reply

Your email address will not be published.

css.php
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.