Microsoft has released a patch to address vulnerability CVE-2020-1350, a Windows DNS server remote code execution vulnerability. This vulnerability’s exploit is considered “wormable.” The vulnerability has also been in existence for the last 17 years.
The recently discovered DNS bug can be traced back as early as 2003. The CVE-2020-1350 entry was created on November 4, 2019, with the July 14, 2020, “Patch Tuesday” having finally addressed the 17-year-old bug. According to ZDNet, the vulnerability was assigned a CVSS (Common Vulnerability Scoring System) rating of 10, the highest level.
Think of DNS, or domain name service, as phonebook. Instead of punching in “John Smith” into your phone (assuming that John Smith isn’t in your contacts), you would look up John’s phone number and then dial that in. When you type in www.infotech.com, a query is sent to a DNS server that maps that machine name back to an IP address. It is the IP address (phone number, if you go back to the John Smith example) that your machine needs to connect to its destination.
The bug in question allows a malicious actor to send a large query type (over 64kb), which then creates a condition called “buffer overflow,” usually a situation that is remedied by the software. The bug prevents the remedying of that condition, resulting in the malicious actor having the ability to take control of the server. This means that someone other than John Smith can potentially intercept the phone calls, faxes, or snail mail (or worse: Amazon packages!) simply by changing the entry for “John Smith” and redirecting the “phone number” entry.
Now, apply this analogy back to the web address/machine name and IP address mapping and you can quickly see why this raises such alarming concern.
Thankfully, Microsoft has recently released a patch to address CVE-2020-1350. Our advice? Patch your servers without delay!
Many organizations’ vulnerability management or infrastructure release management programs maintain a regular cadence of patching. This allow organizations to prioritize the criticality of patches, test the patches to ensure that they don’t break anything, and then schedule the deployment of patches.
There is usually an expedited process and emergency change management process to deploy critical patches that cannot wait for the regular release management cycle. For organizations this applied to, the CVE-2020-1350 vulnerability should be at the top of the emergency change management list.
A vulnerability named CallStranger has been discovered, which exploits the Universal Plug-and-Play (UPNP) protocol used by billions of internet-connected devices. These devices are found in our homes, offices, shops, and factories.