CVE-2020-1350 – A Patch 17-Years in the Making
CVE-2020-1350 is a 17-year-old remote code execution vulnerability in the Windows Domain Name System servers first discovered by Check Point researchers. On July 14th, 2020, Microsoft finally released a patch that can be found here. Organizations should quickly deploy the following registry entry to all Microsoft DNS servers to help block any in-development/in-use exploits:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00
Businesses running Microsoft DNS (Active Directory) are strongly encouraged to deploy the mitigation mentioned above and patch their systems as quickly as possible, as systems as far back as Server 2003 are impacted by this vulnerability.
Check Point confirms that this vulnerability is a heap-based buffer overflow and is currently rated a 10.0. This vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. Any attackers who successfully exploit the vulnerability could run arbitrary code in the context of the Local System Account. To exploit this vulnerability, an attacker could send unauthenticated, malicious requests to a Windows DNS Server, and the patch supplied by Microsoft addresses the vulnerability by modifying how Windows DNS servers handle requests.
The exploit itself first requires an attacker to host a DNS server capable of producing the malicious request. Then, local DNS clients such as phones, tablets, laptops, etc., can be forced into making a query through their DNS servers to the malicious, attacker-controlled server. The response from the malicious server, which utilizes compression in one of the DNS fields, is temporarily cached in the local Microsoft DNS server as it is passed back to the client. The next time the query is requested, the local DNS server will attempt to uncompress the fields before responding, which results in a heap-memory overflow, which then allows the attacker remote code execution.
Those organizations that can analyze DNS requests should configure detection technologies to flag anomalous uses of SIG record queries as the DNS SIG response parser in the Microsoft DNS server code appears to be a great place to target exploits. Once a Microsoft DNS server is compromised, it can be turned into another malicious DNS client, thus perpetuating this vulnerability.
For a complete write-up by Check Point research, check out their work here.
Sources: