Background

In the last week or so, Microsoft released an advisory relating to a security vulnerability within its DNS Server.

 

Security Vulnerability

Remote Code Execution Vulnerability

What is

What is a “Remote Code Execution Vulnerability“?

Most applications have an interface that accepts input ( command and data ) from the end-user.

If the end-user is able to present data and commands that bypasses the application’s in-built security, the requester may be able to get the application to execute code in unintended ways.

Usual Protection

1. Reduce the size of input buffer
2. Sanitize accepted code
3. Augment better protection around code modules

Remediation

Outline

Here are the remediation Microsoft is asking its customers to put in place:-

1. Configuration
   • Registry
     • Reduce the maximum size of accepted input
2. Software Upgrade

Configuration

Registry

Disclaimer

For the sake of brevity, we will only cover the configuration/registry change in this post.

We will have a follow-up for the software upgrade.

Processing

GUI

On the machines running Microsoft implementation of DNS Server

1. Access Microsoft Windows Registry ( Regedit )
   • Subkey
     • Access the DNS Parameters subkey ( HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters )
   • Item
     • Add a new item TcpReceivePacketSize, if it does not yet exist
     • Set the item’s type and value to D-WORD and 0xFF00
2. Access Microsoft Windows Command Line Console
   • Run cmd.exe ( in administrator mode )
   • Restart DNS Server Service
     • net stop dns
     • net start dns

Images

Image – Registry – Before Change

Image – Registry – Adding TcpReceivePacketSize

Image – Registry – Post Change

Image – DNS Service – Stop And Start

References

1. Microsoft
   • Support
     • KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350
       Link