I wrote a Powershell script to check, apply and remove a workaround for the Windows DNS Server (CVE-2020-1350) if you are unable to apply the patch right away. The Vulnerability affects Windows DNS Servers was announced one or two days ago.
More details about this Vulnerability that affects WINDOWS DNS SERVER
“To summarize, by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer” – Check Point
Sagi Tzadik a security researcher from Check Point has published a nice blog article about this issue:
Using an oneliner to apply the workaround
I started to play in my lab environment, I wrote and ran this one-liner to test a quick way of implementing the workaround against all my domain controllers in my lab domain with a domain account with high privileges account from privileged access VM:
1 |
Invoke-Command -ComputerName "lab-dc01", "lab-doc" -ScriptBlock {New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\" -Name TcpReceivePacketSize -PropertyType DWORD -Value 0xFF00} |
Same approach for the verification
I ran the oneliner script above twice on purpose, the second time threw this expected error, that I use to check if the workaround was already applied.
1 2 3 4 5 6 7 |
New-ItemProperty : The property already exists. At line:1 char:1 + New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\P ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceExists: (HKEY_LOCAL_MACH...DNS\Parameters\:String) [New-ItemProperty], IOExcepti on + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.NewItemPropertyCommand |
I didn’t restart the DNS server in the version above but can be a simple as adding Restart-Service DNS, with this result:
1 |
Invoke-Command -ComputerName "lab-dc01", "lab-doc" -ScriptBlock {New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\" -Name TcpReceivePacketSize -PropertyType DWORD -Value 0xFF00 ; Restart-Service "DNS"} |
So I decided to focus my efforts on writing an improved version of this script that could be used in production environments, designed to be run locally on the DNS server and that would be (hopefully) smarter than the oneliner.
The Powershell Script: Workaround-CVE-2020-1350.ps1
Then I re-wrote down the script in a couple of iterations and decided to keep it extremely simple to read and breaking it into 3 functions:
- Check-Workaround – Return True if the workaround is needed (because already implemented) and False otherwise. Please note that it requires Powershell 5.1 to work due to this cmd-let Get-ItemPropertyValue. If you run an older version of PowerShell you can comment out the require statement (##requires -Version 5.1), but be aware that check-workaround will always return false.
- Apply-Workaround – Checks for is there is a DNS Server role installed, if the DNS Server is running and if the workaround is not installed. Backups the registry settings for the DNS before applying the changes. Applies the workaround and asks the user before restarting the DNS server.
- Remove-Workaround – Checks for is there is a DNS Server role installed, if the DNS Server is running and if the workaround is installed. Removes the workaround and asks the user before restarting the DNS server.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
#requires -runasadministrator #requires -Version 5.1 # Paolo Frigo, https://www.scriptinglibrary.com # https://nvd.nist.gov/vuln/detail/CVE-2020-1350 # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 $RegBackupFile = "c:\windows\temp\DNS-CVE-2020-1350.reg" #Conditions for applying the workaround DNS Role installed, DNS Server running $DNSServerInstalled = [bool] (Get-WindowsFeature | Where-Object {($_.name -like "DNS") -and ($_.InstallState -eq "Installed")}) $DNSServerRunning = (Get-Service DNS -ErrorAction Ignore).Status -eq "Running" function Check-Workaround(){ try { if (Get-ItemPropertyValue -path "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\" -Name TcpReceivePacketSize){ return $True # Workaround already applied } } catch { Return $False #No workaround applied } } function Apply-Workaround(){ if ($DNSServerInstalled -and $DNSServerRunning -and $($(Check-Workaround) -eq $false)){ Write-Verbose "DNS SERVER service is Installed and Running, Workaround not found in the registry" Write-Output "Starting to Backup of the Registry ( $RegBackupFile ) before applying the workaround" reg export "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\" $RegBackupFile New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\" -Name TcpReceivePacketSize -PropertyType DWORD -Value 0xFF00 Restart-Service DNS -verbose -Confirm Write-Output "Workaround applied." } } function Remove-Workaround(){ if ($DNSServerInstalled -and $DNSServerRunning -and $($(Check-Workaround) -eq $true)){ Write-Verbose "DNS SERVER service is Installed and Running, Workaround found in the registry" Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\" -Name TcpReceivePacketSize -Confirm Restart-Service DNS -verbose -Confirm Write-Output "Workaround removed." } } |
To make it more clear, I’ve copied the output of the script and execution below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
PS C:\> . .\Workaround-CVE-2020-1350.ps1 PS C:\> Check-Workaround False PS C:\> Apply-Workaround Starting to Backup of the Registry ( c:\windows\temp\DNS-CVE-2020-1350.reg ) before applying the workaround The operation completed successfully. TcpReceivePacketSize : 65280 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Par ameters\ PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry Confirm Are you sure you want to perform this action? Performing the operation "Restart-Service" on target "DNS Server (DNS)". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y Workaround applied. PS C:\> Check-Workaround True PS C:\> Remove-Workaround Confirm Are you sure you want to perform this action? Performing the operation "Remove Property" on target "Item: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ Property: TcpReceivePacketSize". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y Confirm Are you sure you want to perform this action? Performing the operation "Restart-Service" on target "DNS Server (DNS)". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y Workaround removed. PS C:\> Check-Workaround False PS C:\> |
Conclusion
This Vulnerability scored as a perfect 10. As usual, you can find these scripts on my GitHub Repository.
Update
[17/07/2020] I’m updating this article adding a couple of useful links to read on this topic.