Microsoft has released a security update for the issue, CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability.
This vulnerability has a CVSS Base score of 10. How bad is this?
“We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.”
With this setup in place, an attacker can trigger an integer overflow flaw in the function that parses incoming responses for forwarded queries (“dns.exe!SigWireRead”) to send a DNS response that contains a SIG resource record larger than 64KB and induce a “controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.”
Put differently; the flaw targets the function responsible for allocating memory for the resource record (“RR_AllocateEx”) to generate a result bigger than 65,535 bytes to cause an integer overflow that leads to a much smaller allocation than expected.
To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
Value = 0xFF00
Note You must restart the DNS Service for the registry change to take effect.
- The Default (also max) Value = 0xFFFF
- The Recommended Value = 0xFF00 (255 bytes less than the max)
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
Read more here: Microsoft Support