Background

Today is July 2020 Patch Tuesday, and Microsoft has released updates/fixes for multiple vulnerabilities. One of them is a critical vulnerability with a CVSS score of 10.
 

What is the issue?

Windows DNS Server Remote Code Execution Vulnerability (CVE-2020-1350)

Microsoft released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected.

Systems impacted

• Windows Server 2019
• Windows Server 2019  (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)
• Windows Server 2016
• Windows Server 2016  (Server Core installation)
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

What can you do to protect yourself?

According to Microsoft, this vulnerability is not currently known to be used in active attacks. It is essential that customers apply Windows updates to address this vulnerability as soon as possible. If applying the update quickly is not practical, a registry-based workaround is available that does not require restarting the server. 

It is important to have updated security software and the latest software patches applied to the endpoints. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. And disable macros in Office programs. Do not enable them unless it is essential to do so.

Zscaler coverage

Zscaler ThreatLabZ has added detection signatures for exploitation of this vulnerability through our Advanced Cloud Firewall protection.
 

• Advanced Cloud Firewall Signatures
  Win32.Exploit.CVE-2020-1350

Details related to these threat signatures can be found in the Zscaler Threat Library.

Reference

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/

https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability