Threat Advisory: Microsoft Releases Patch for DNS Server Vulnerability (CVE-2020-1350)

July 17, 2020

Microsoft has released a patch for a critical vulnerability in its DNS server that affects Windows versions back to Server 2003. This vulnerability has received a CVSS score of 10 and allows for a full system compromise without authentication. The exploit can also be used to spread across a network without user interaction.

Affected Windows servers include any server with the DNS role enabled. As a result, Active Directory and Kerberos are at risk since both require DNS service with domain controllers that have the DNS role enabled.

Once the vulnerability is exploited, the attacker sends the victim an email or enables them to visit a webpage in order to trigger a DNS query, which is sent to the attacker’s name server using the UDP protocol.

Next, the malicious name server sends a message indicating the requested response is too large for UDP. This causes the target server to re-send the query via the TCP protocol and the attacker system then replies with the exploit. Due to DNS replies being limited to 64kBytes, the exploit response takes advantage of "pointers" to compress the response. The response is expanded, and the exploit is triggered on the target server.

Detecting these unusual DNS responses can be found by searching DNS logs for a TCP response with a SIG (Signature) Record Response (RR).

Publicly published vulnerabilities within vendor advisories are often exploited by malicious actors to either gain network access, further compromise and propagate across a network, or extract additional information from vulnerable systems.

Therefore, Herjavec Group highly recommends that organizations should monitor vendor security advisories and apply patches immediately. If a patch is not currently available, apply any temporary mitigations and increase monitoring as required.

Herjavec Group circulates US – CERT advisories as this notification warrants attention and may have significance to your Enterprise network environment. If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.

About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn