Alert Logic® is actively investigating a new vulnerability in Windows Domain Name System (DNS) Server – CVE-2020-1350. This vulnerability allows an attacker to trigger remote code execution (RCE) on a Windows DNS Server and send malicious requests to the server.
Customers running any version of Windows DNS Server may be affected by this vulnerability. Microsoft has released an update to address this vulnerability, and it is recommended to apply the update as soon as possible. For more information about the patch and other mitigation options, refer to the Recommendations for Mitigation section in this article.
Per Microsoft, CVE-2020-1350 has been deemed a “wormable” vulnerability that has the potential to spread via malware between vulnerable computers without user interaction. The issue results from a flaw in Microsoft’s DNS server role implementation. An attacker who successfully exploits this vulnerability could run arbitrary code in the context of the Local System Account.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has developed vulnerability scan coverage to identify vulnerable assets.
Network IDS: Alert Logic has developed telemetry signatures to identify the exploitation of this vulnerability.
Web Application Firewall: The nature of this attack does not allow it to be detected by web application firewalls.
Log Management: At this time, it is not expected that log detection is appropriate for this threat; however, Alert Logic will continue this assessment.
Recommendations for Mitigation
Microsoft has released an update to address CVE-2020-1350. Since the issue resides in the server role implementation, all versions of Windows DNS Server are vulnerable and require an update. If you have automatic updates turned on for your Windows DNS Servers, no action is needed. If you are not using automatic updates, it is recommended to apply Windows updates as soon as possible to address this vulnerability.
If you are not able to apply an update immediately, a registry-based workaround is available from Microsoft that does not require restarting the server.
For more information on the update and workaround, refer to Microsoft’s Security Update for CVE-2020-1350.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.