Kaseya Community

CVE-2020-1350

  • Anyone doing anything re: CVE-2020-1350 https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

  • Applying the workaround on all Windows DCs and DNS servers. No issues so far…

    support.microsoft.com/.../windows-dns-server-remote-code-execution-vulnerability

    To work around this vulnerability, make the following registry change to restrict the size of the largest inbound

    TCP-based DNS response packet allowed:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

    TcpReceivePacketSize

    Value = 0xFF00

    Note You must restart the DNS Service for the registry change to take effect.

    • The Default (also max) Value = 0xFFFF

    • The Recommended Value = 0xFF00 (255 bytes less than the max)

    After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.



    Spelling fix
    [edited by: tbrewster at 1:40 PM (GMT -7) on Jul 14, 2020]
  • We posted an Agent Procedure on our home page (https://www.mspbuilder.com) that performs this update. No login required.

    Glenn

  • There wil be agent procedure on exchange.

  • Glenn great procedure and we have deployed it globally.

    Anyone have a report to run to verify the status (pass\fail) of the Agent Procedure. I'm sure its easy but I'm missing something in the formatting and clients have been asking all day.

  • Thanks - simple but effective. The procedure was set to fail if any part of the process failed. I won't assume creating a custom field for tracking - I hate that, especially for temporary stuff like this, but you could easily end the procedure with a command to update the status in a CF and run a report from that. One trick, since this will terminate on any failure, is to write the CF with an "unknown" status at the start, and then update it at the end with "Fix applied".  

    We'd usejavascript:void(0); a generic CF, possibly the "VulnStatus" field our clients use for things like the Intel CPU or other one-time-ish checks. (one-time in this case might mean over a period of a few weeks or months, but not forever.)

    Glenn