Security advisory: Windows DNS critical vulnerability

As reported, a critical vulnerability designated CVE-2020-1350 has been found in Windows DNS, Microsoft’s DNS server software.

The bug, only affecting Windows Server platforms (Windows 10 and other client versions are not affected) has been acknowledged by Microsoft, and assigned the highest risk score of 10 on the Common Vulnerability Scoring System (CVSS).

A patch has been released July 14th 2020 that fixes this vulnerability. Microsoft has stated that they are not aware of any active exploits for it. (But given it’s targeting an old code and the patch had to be released quickly, extensive investigation did not take place.)

System administrators are urged to deploy the patch for their Windows DNS software as soon as possible. If that’s not possible, temporarily lower the maximum length of the DNS message to 0xFF00 by using the command line and executing:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /fnet stop DNS && net start DNS

Men&Mice software is not affected by the vulnerability, we only strongly encourage everyone to patch their Windows DNS software. Given the essential nature of these core services, it's important that network administrators keeps DNS (as well as DHCP) software up-to-date and secure.

Read a more detailed analysis of the vulnerability on Check Point Research and Microsoft’s Security Blog.