Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Kaspersky
CVE-2020-1350: Vulnerability in Windows DNS servers
Message
<blockquote data-quote="Bot" data-source="post: 894513" data-attributes="member: 52014"><p>Microsoft has reported the vulnerability CVE-2020-1350 in Windows DNS server. Bad news: The vulnerability scored 10 on the CVSS scale, which means it’s critical. Good news: Cybercriminals can exploit it only if the system is running in DNS server mode; in other words, the number of potentially vulnerable computers is relatively small. Moreover, the company has already <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350" target="_blank">released patches and a workaround.</a></p><p></p><p><span style="font-size: 18px"><strong>What is the vulnerability, and how is it dangerous?</strong></span></p><p></p><p></p><p>CVE-2020-1350 lets a malefactor force DNS servers running Windows Server to execute malicious code remotely. In other words, the vulnerability belongs to the <a href="https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/" target="_blank">RCE class</a>. To exploit CVE-2020-1350, one just has to send a specially generated request to the DNS server.</p><p></p><p>Third-party code is then executed in the context of the <a href="https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account" target="_blank">LocalSystem account</a>. This account has extensive privileges on the local computer, and it acts as a computer on the network. In addition, the security subsystem does not recognize the LocalSystem account. According to Microsoft, the main danger of the vulnerability is that it can be used to spread a threat over the local network; that is, it is classified as <em>wormable</em>.</p><p></p><p><span style="font-size: 18px"><strong>Who is in the CVE-2020-1350 risk zone?</strong></span></p><p></p><p></p><p>All versions of Windows Server are vulnerable, but only if running in DNS server mode. If your company does not have a DNS server, or uses a DNS server based on a different operating system, you have nothing to worry about.</p><p></p><p>Fortunately, the vulnerability was discovered by Check Point Research, and as yet no public information exists about how to exploit it. In addition, there is currently no evidence of CVE-2020-1350 having been exploited by attackers.</p><p></p><p>However, it is very likely that as soon as Microsoft recommended updating the system, cybercriminals began poring over vulnerable DNS servers and the released patches to work out how to exploit the vulnerability. No one should delay installing the patch.</p><p></p><p><span style="font-size: 18px"><strong>What to do</strong></span></p><p></p><p></p><p>As mentioned above, the best action is to install the Microsoft patch, which modifies the method of handling requests by DNS servers. The patch is available for Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server version 1903, Windows Server version 1909, and Windows Server version 2004. You can download it from the <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350" target="_blank">Microsoft page dedicated to this vulnerability</a>.</p><p></p><p>However, some large companies have internal rules and an established routine for software updates, and their system administrators might not be able to install the patch immediately. To prevent DNS servers from being compromised in such cases, the company also <a href="https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability" target="_blank">proposed a workaround</a>. It involves making the following changes to the system registry:</p><p></p><p></p><p></p><p>After saving the changes, you’ll need to restart the server. Note that this workaround can potentially lead to incorrect server operation in the rare case that the server receives a TCP packet larger than 65,280 bytes, so Microsoft recommends deleting the TcpReceivePacketSize key and its value, and returning the registry entry to its original state, once the patch is eventually installed.</p><p></p><p>From our side, we want to remind you that the DNS server running in your infrastructure is a computer, same as any other endpoint. They also can have vulnerabilities that cybercriminals can try to exploit. Therefore, like any other endpoint on the network, it requires a security solution, such as <a href="https://www.kaspersky.com/small-to-medium-business-security?redef=1&THRU&reseller=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______" target="_blank">Kaspersky Endpoint Security for Business</a>.</p><p></p><p><a href="https://www.kaspersky.com/blog/cve-2020-1350-dns-rce/36366/" target="_blank">Source</a></p></blockquote><p></p>
[QUOTE="Bot, post: 894513, member: 52014"] Microsoft has reported the vulnerability CVE-2020-1350 in Windows DNS server. Bad news: The vulnerability scored 10 on the CVSS scale, which means it’s critical. Good news: Cybercriminals can exploit it only if the system is running in DNS server mode; in other words, the number of potentially vulnerable computers is relatively small. Moreover, the company has already [URL='https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350']released patches and a workaround.[/URL] [SIZE=5][B]What is the vulnerability, and how is it dangerous?[/B][/SIZE] CVE-2020-1350 lets a malefactor force DNS servers running Windows Server to execute malicious code remotely. In other words, the vulnerability belongs to the [URL='https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/']RCE class[/URL]. To exploit CVE-2020-1350, one just has to send a specially generated request to the DNS server. Third-party code is then executed in the context of the [URL='https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account']LocalSystem account[/URL]. This account has extensive privileges on the local computer, and it acts as a computer on the network. In addition, the security subsystem does not recognize the LocalSystem account. According to Microsoft, the main danger of the vulnerability is that it can be used to spread a threat over the local network; that is, it is classified as [I]wormable[/I]. [SIZE=5][B]Who is in the CVE-2020-1350 risk zone?[/B][/SIZE] All versions of Windows Server are vulnerable, but only if running in DNS server mode. If your company does not have a DNS server, or uses a DNS server based on a different operating system, you have nothing to worry about. Fortunately, the vulnerability was discovered by Check Point Research, and as yet no public information exists about how to exploit it. In addition, there is currently no evidence of CVE-2020-1350 having been exploited by attackers. However, it is very likely that as soon as Microsoft recommended updating the system, cybercriminals began poring over vulnerable DNS servers and the released patches to work out how to exploit the vulnerability. No one should delay installing the patch. [SIZE=5][B]What to do[/B][/SIZE] As mentioned above, the best action is to install the Microsoft patch, which modifies the method of handling requests by DNS servers. The patch is available for Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server version 1903, Windows Server version 1909, and Windows Server version 2004. You can download it from the [URL='https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350']Microsoft page dedicated to this vulnerability[/URL]. However, some large companies have internal rules and an established routine for software updates, and their system administrators might not be able to install the patch immediately. To prevent DNS servers from being compromised in such cases, the company also [URL='https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability']proposed a workaround[/URL]. It involves making the following changes to the system registry: After saving the changes, you’ll need to restart the server. Note that this workaround can potentially lead to incorrect server operation in the rare case that the server receives a TCP packet larger than 65,280 bytes, so Microsoft recommends deleting the TcpReceivePacketSize key and its value, and returning the registry entry to its original state, once the patch is eventually installed. From our side, we want to remind you that the DNS server running in your infrastructure is a computer, same as any other endpoint. They also can have vulnerabilities that cybercriminals can try to exploit. Therefore, like any other endpoint on the network, it requires a security solution, such as [URL='https://www.kaspersky.com/small-to-medium-business-security?redef=1&THRU&reseller=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______']Kaspersky Endpoint Security for Business[/URL]. [url="https://www.kaspersky.com/blog/cve-2020-1350-dns-rce/36366/"]Source[/url] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
