The impact of this issue announcement is critical. Please act accordingly to rectify the issue, as stated below.
What you need to know:
On July 14, 2020, Microsoft released a security update for the issue described in CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows servers that are configured to run the DNS Server role. We strongly recommend that server administrators apply the security update at their earliest convenience.
A registry-based workaround can be leveraged to help protect an affected Windows server, and it can be implemented without requiring an administrator to restart the server. Because of the volatility of this vulnerability, administrators may have to implement the workaround before applying the security update in order to enable them to update their systems by using a standard deployment cadence.
Actions to be taken:
We recommend that everyone who runs DNS servers to install the security update as soon as possible. If you are unable to apply the update right away, you will be able to protect your environment before your standard cadence for installing updates.
To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
Value = 0xFF00
Note You must restart the DNS Service for the registry change to take effect.
- The Default (also max) Value = 0xFFFF
- The Recommended Value = 0xFF00 (255 bytes less than the max)
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
What is the impact of not doing the actions?
An unauthenticated attacker could send malicious requests to a Windows DNS server.