All scripts and code are provided as-is. I am not responsible for any undesired consequences as a result of you running them. Use at your own risk
There is a newly identified vulnerability affecting Windows DNS Servers. This is a serious exploit and the recommendation from Microsoft is to patch this and reboot your servers. A list of the applicable patches has been published as well. There is a workaround however if you are unable to install the patch and reboot your server
My colleagues and I jumped on this right away and began patching our DNS Servers. I used a query to identify them first:
select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client, SMS_G_System_SERVICE.DisplayName from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SERVICE.Name = "DNS"
After Identifying our DNS servers, we began patching them by downloading the patches manually. This was just a process that worked for us, if you have hundreds of DNS Servers, I would push them out through WSUS or ConfigMgr.
The problem we came across was our 2008 R2 boxes…Yes we still have a few of them. These servers do not have extended security updates (ESU), and I believe it’s the reason we received the following warning when trying to install the patch.
Detection Script
The next step was to issue the workaround. I created a Configuration Baseline to check and set the workaround for our 2008 R2 boxes that couldn’t install the patch. I’m checking firstly that the DNS service exists, if this is accidently run on a machine without the DNS Service, we’ll report it as compliant because nothing can be done to “remediate” this server. I’m then checking against the KBs that were issued to patch this vulnerability. These are subject to be superseded so keep that in mind. After installing one of the patches, the workaround value is still not present in the registry. So, if any of the patches are installed, we’ll mark the server as compliant as well. Special thanks to Cody Mathis for helping me out with the KB detection logic. Next, if the DNS service exists, and none of the patches are installed, we want to check the registry for the workaround value. If it’s present, the server is compliant. Otherwise mark the server as non-compliant
<# ## Detection Method for CVE-2020-1350 ## https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability ## Special thanks to @CodyMathis123 for the Hotfix Detection help #> ## Workaround Registry Values $registrypath = "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters" $Name = "TcpReceivePacketSize" $value = 65280 ## DNS Server Service $DnsService = Get-Service -Name 'DNS' -ErrorAction SilentlyContinue ## Applicable KBs for the patch $KB = @('KB4558998', 'KB4565483', 'KB4565503', 'KB4565511', 'KB4565524', 'KB4565529', 'KB4565535', 'KB4565536', 'KB4565537', 'KB4565539', 'KB4565540', 'KB4565541') $ArticleFilter = [string]::Format("HotFixId = '{0}'", [string]::Join("' OR HotFixId = '", $KB)) $Query = [string]::Format("SELECT * FROM Win32_QuickFixEngineering WHERE {0}", $ArticleFilter) $HotfixInstalled = Get-CimInstance -Query $Query -ErrorAction Stop If ($DnsService) { if ($HotfixInstalled) { return 'Compliant' } ## DNS Service Installed try { $regvalue = Get-ItemProperty -Path $registrypath -Name $Name -ErrorAction Stop switch ($regvalue.$name) { 65280 { return 'Compliant' } default { return 'Non-Compliant' } } } catch { ## Reg Value is not Set to the Correct Value return 'No Reg Value Found' } } else { ## DNS Service Not Installed return 'Compliant' }
Remediation Script
The remediation script is pretty simple. It adds the workaround value to the registry. Per the issued workaround we also need to restart the DNS service
try { New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\parameters" -Name "TcpReceivePacketSize" -PropertyType DWord -Value 0xFF00 -Force -ErrorAction Stop | Out-Null Restart-Service DNS -ErrorAction Stop } catch { Write-Warning "$($Error[0].Exception.Message)" }
I created a configuration baseline out of these and targeted a collection I made using the query above to group my DNS Servers together. You may decide to target a smaller or larger group of servers.
Again, I don’t assume to be the greatest coder known to man, so use these at your own risk. I’m sure there’s a million changes that could make these better, but hopefully it helps someone out. If you notice something wrong, let me know.