On Tuesday March 9, 2021 Microsoft rolled out its monthly update. Included in these fixes were seven security updates involving DNS vulnerabilities and of those seven, five included remote code execution (RCE) with a critical CVSS (Common Vulnerability Scoring Standard) score of 9.8 out of 10. Guidance and PoC (Proof of Concept) have been provided and all seven vulnerabilities have been confirmed to be within the Dynamic Zone Update activity. Microsoft has confirmed none of the five RCE’s are wormable. Researchers at McAfee Security provided some additional context to help administrators understand the potential impact.
For Active Directory DNS updates, in order for these vulnerabilities to be exploited by an attacker, at least two criteria need to be met:
- The DNS server must accept write requests to at least one Zone.
- An attacker must specifically craft a DNS request that supplies a Zone target.
The DNS server configuration that would be at the highest risk for exploitation is a DNS server in “Dynamic Update” insecure mode (meaning that update requests are not digitally signed), and which is exposed directly to the Internet. Any organization that has a DNS server with this configuration should seriously reconsider its security stance and take immediate action to protect the DNS server.
McAfee researchers noted that no active exploitation of these vulnerabilities has been seen yet, stating, “We are not aware of any exploitation in the wild of these vulnerabilities so we must focus on the access capabilities, i.e., close the door on the threat actor opportunity.”
Analyst Notes
DNS underpins almost all other protocols used on the Internet, and as a result, DNS servers are some of the most widely deployed services that practically all organizations have implemented. It is also frequently found to be misconfigured and left vulnerable to attacks. It is critical to have Security Teams aware of the risks and watching for vulnerabilities to be disclosed and updates to be released. There are basics to DNS hardening that really do go a long way toward a more secure deployment, but with all vulnerabilities, these can sneak up on IT administration teams and render common hardening techniques ineffective.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26897
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26877
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/seven-windows-wonders-critical-vulnerabilities-in-dns-dynamic-updates/
