Threat Response: Critical Vulnerability in Microsoft Server 2003-2019

15-07-2020

On the 14th of July at 19:00 CEST Microsoft released new information regarding a critical remote code execution vulnerability (CVE-2020-1350) in Windows Server 2003 up to and including 2019 [1]. This vulnerability has received a CVSS score of 10 out of 10. No public exploit is available as of yet. In this message we inform you of the threat and potential mitigations.

Description

The vulnerability concerns a so-called wormable vulnerability in Windows DNS Server. This is a component of Windows Server, that is used by Active Directory. Windows DNS Server can be a specific single purpose machine, but can also be a role that a server fulfils in the domain. The vulnerability allows for unauthenticated attackers to remotely execute arbitrary code with the local system users’ rights. Through this, the attacker can become local administrator on the server concerned. From there, it’s relatively simple to become domain administrator. In this context “wormable” means that this exploit can be automatically spread from machine to machine without user interaction. This can lead to a quick spread after the initial attack.

This vulnerability is in all Windows Server versions from 2003 up to and including 2019.

Impact

This vulnerability allows attackers to eventually become domain administrator within the Windows domain. By becoming domain administrator, an attacker gains access to all accounts and roles in the Windows domain, and thus to the data that is managed in the domain. This makes the impact high.

Risk

No public/active exploit code is available currently. We do expect this to be the case in the short term, as the patch that was released can be used to reverse engineer the vulnerability. Northwave assesses the risk of this vulnerability to be high.

Mitigation

Northwave recommends installing the patch immediately. This patch requires restarting the server. If it’s not possible to install this update, a mitigation is available [2]. This mitigation has potential side effects, that are described in [2] as well.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

[2]: https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.