Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350


View products that this article applies to.

Additional applies to information

This article specifically applies to the following Windows server versions:

  • Windows Server, version 2004 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1803 (Server Core Installation)
  • Windows Server 2019 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for 32-bit Systems Service Pack 2

↑ Back to the top


Introduction

On July 14, 2020, Microsoft released a security update for the issue that is described in CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows servers that are configured to run the DNS Server role. We strongly recommend that server administrators apply the security update at their earliest convenience.

A registry-based workaround can be used to help protect an affected Windows server, and it can be implemented without requiring an administrator to restart the server. Because of the volatility of this vulnerability, administrators may have to implement the workaround before they apply the security update in order to enable them to update their systems by using a standard deployment cadence.

↑ Back to the top


Workaround

Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet that's allowed:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 

Value = TcpReceivePacketSize 

Type = DWORD 

Value data = 0xFF00

Notes

  • The default (also maximum) Value data = 0xFFFF.
  • If this registry value is pasted or is applied to a server through Group Policy, the value is accepted but will not actually be set to the value that you expect. The value 0x cannot be typed into the Value data box. However, it can be pasted. If you paste the value, you get a decimal value of 4325120.
  • This workaround applies FF00 as the value which has a decimal value of 65280. This value is 255 less than the maximum allowed value of 65,535.
  • You must restart the DNS Service for the registry change to take effect. To do this, run the following command at an elevated command prompt:

net stop dns && net start dns

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients if the DNS response from the upstream server is larger than 65,280 bytes.

↑ Back to the top


Frequently asked questions

Does the workaround apply to all versions of Windows Server? 

The workaround is available on all versions of Windows Server running the DNS role. 

Will limiting the allowed size of inbound TCP based DNS response packets impact a server’s ability to perform a DNS Zone Transfer? 

We have confirmed that this registry setting does not affect DNS Zone Transfers. 

Do I need to apply the workaround AND install the update for a system to be protected? 

No, both options are not required. Applying the security update to a system resolves this vulnerability. The registry-based workaround provides protections to a system when you cannot apply the security update immediately and should not be considered as a replacement to the security update. After the update has been applied, the workaround is no longer needed and should be removed.

Do I need to remove the registry change after I apply the security update? 

The workaround is compatible with the security update. However, the registry modification will no longer be needed after the update is applied. Best practices dictate that registry modifications be removed when they are no longer needed to prevent potential future impact that could result from running a nonstandard configuration.   

Under what circumstances would I consider using the registry key workaround?

We recommend that everyone who runs DNS servers to install the security update as soon as possible. If you are unable to apply the update right away, you will be able to protect your environment before your standard cadence for installing updates.

Will this workaround affect any other TCP based network communications?

No. The registry setting is specific to inbound TCP based DNS response packets and does not globally affect a system’s processing of TCP messages in general.

↑ Back to the top


Keywords: CVE-2020-1350, kbsecurity, kbexpertiseinter, kblangall, kbmustloc, kbsecbulletin, kbsecreview, kbsecvulnerability, kbsurveynew, windows servers 2016

↑ Back to the top

Article Info
Article ID : 4569509
Revision : 50
Created on : 8/14/2020
Published on : 8/14/2020
Exists online : False
Views : 312