It’s not DNS.
There’s no way it’s DNS.
It was DNS.
A system administrator’s haiku, many have uttered before. Today it rings true once again. CVE-2020-1350 is a vulnerability found in _all_ versions of Windows Server DNS back to 2003. Found by the folks at Checkpoint, this is a highly critical vulnerability. Not only does the attack allow for attackers to execute code as Local System Account, but it is a common practice for Windows DNS servers to be Domain Controllers. Effectively granting access across the entire domain.
This is a terrifyingly simple exploit, and is exploitable if your DNS server queries a malicious name server, which can be triggered any number of ways. Easiest way is a phishing attack on your users (see Checkpoint’s video for a 30 second demonstration).
Yet again the enterprise is looking at a critical security vulnerability. Our systems are too complex for us to rest assured all of the bugs were fixed ahead of time, and so organizations need to adopt a posture of Continuous Compliance and DevSecOps. Rapid response to these issues and continuous deployment processes are critical to resolving these vulnerabilities quickly and safely.
Here at Chef, that’s what we help our customers build. A couple of our Customer Architects & Consultants paired on creating a quick Chef Inspec profile that allows you to test your Windows Servers for the fix. It looks for either a KB to be installed or Microsoft’s registry workaround applied:
title 'Windows DNS Vulnerability audit' control 'CVE-2020-1350' do impact 1.0 title 'Windows DNS Server Remote Code Execution Vulnerability' desc 'A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.' tag cve: 'CVE-2020-1350' ref 'CVE-2020-1350', url: 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350' # Not required to add os-family check here but including for inclusion in mixed-platform profiles only_if { os[:family] == 'windows' && windows_feature('DNS').installed? } describe.one do describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters') do # InSpec tests the decimal value so we'll provide it 65280d = FF00h its('TcpReceivePacketSize') { should eq 65280 } end describe windows_hotfix('KB4558998') do it { should be_installed } end describe windows_hotfix('KB4565511') do it { should be_installed } end … end
In the example here, we’ve truncated the other hotfix checks for different versions of Windows Server, but the describe.one
ensures that as long as one of the tests pass, either the KB installed or the registry workaround, this control passes and the system is marked compliant’ against this CVE.
We have the full profile on Github and if you’re new to Chef InSpec, we recommend you start at learn.chef.io, specifically this course. If you have questions, or need any help with implementation, drop into the #inspec channel on our community slack.
Our systems are complex, their interactions varied and we cannot ensure 100% security forever. We must always be vigilant to new threats and operate with Infrastructure & Compliance as code to rapidly respond to issues inside of our environments. These are the principles behind DevSecOps and Continuous Compliance.