CVE-2020-1350 – WINDOWS DNS SERVER – Applying a Workaround with Powershell

I wrote a Powershell script to check, apply and remove a workaround for the Windows DNS Server (CVE-2020-1350) if you are unable to apply the patch right away.  The Vulnerability affects Windows DNS Servers was announced one or two days ago.

More details about this Vulnerability that affects WINDOWS DNS SERVER

“To summarize, by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer” – Check Point

Sagi Tzadik a security researcher from Check Point has published a nice blog article about this issue:

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

Using an oneliner to apply the workaround

I started to play in my lab environment, I wrote and ran this one-liner to test a quick way of implementing the workaround against all my domain controllers in my lab domain with a domain account with high privileges account from privileged access VM:

Same approach for the verification

I ran the oneliner script above twice on purpose, the second time threw this expected error, that I use to check if the workaround was already applied.

I didn’t restart the DNS server in the version above but can be a simple as adding  Restart-Service DNS, with this result:

So I decided to focus my efforts on writing an improved version of this script that could be used in production environments, designed to be run locally on the DNS server and that would be (hopefully) smarter than the oneliner.

The Powershell Script: Workaround-CVE-2020-1350.ps1

Then I re-wrote down the script in a couple of iterations and decided to keep it extremely simple to read and breaking it into 3 functions:

  • Check-Workaround – Return True if the workaround is needed (because already implemented) and False otherwise. Please note that it requires Powershell 5.1 to work due to this cmd-let Get-ItemPropertyValue. If you run an older version of PowerShell you can comment out the require statement (##requires -Version 5.1), but be aware that check-workaround will always return false.
  • Apply-Workaround – Checks for is there is a DNS Server role installed, if the DNS Server is running and if the workaround is not installed. Backups the registry settings for the DNS before applying the changes. Applies the workaround and asks the user before restarting the DNS server.
  • Remove-Workaround – Checks for is there is a DNS Server role installed, if the DNS Server is running and if the workaround is installed. Removes the workaround and asks the user before restarting the DNS server.

To make it more clear, I’ve copied the output of the script and execution below.

Conclusion

This Vulnerability scored as a perfect 10.  As usual, you can find these scripts on my GitHub Repository.

Update

[17/07/2020] I’m updating this article adding a couple of useful links to read on this topic.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.