Windows DNS server remote code execution

Posted on July 14th, 2020

Overview

Checkpoint recently disclosed a remote code execution vulnerability in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the Local System Account.

This vulnerability has a base CVSS score of 10.0 and is classified as “wormable” meaning the exploit could be weaponized such that it can spread from computer to computer.

Threat Intelligence

The Masergy Threat Intelligence team is currently not aware of exploitation of this vulnerability occurring in-the-wild. Although there are no proof-of-concept exploits publicly available at this time, we assess with moderate confidence that attackers will pursue the development of exploits for this vulnerability.

Vulnerabilities

Systems Affected

Recommendations

We recommend the following actions be taken:

References

Microsoft:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

Checkpoint:

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/