Windows DNS Server Denial of Service vulnerability

Posted on 2020-05-24 by guenni

[German]Another addendum from last week. Microsoft has issued a security advisory regarding a DNS Server Denial of Service vulnerability in Windows.

Advertising

The whole thing kind of stuck with me because it was flushed into my mailbox on 5/20/20/20. Here is the notification.

*********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 19, 2020
*********************************************************************

Security Advisories Released or Updated on May 19, 2020
=======================================================

* Microsoft Security Advisory ADV200009

ADV200009 | Windows DNS Server Denial of Service Vulnerability
– Reason for Revision: Information published.
– Originally posted: May 19, 2020
– Updated: N/A
– Version: 1.0

Advertising

The background is explained by Microsoft in ADV200009.Microsoft is aware of a vulnerability related to packet forwarding in DNS resolution for Windows servers. An attacker could exploit this vulnerability for DoS attacks, causing the DNS server service to stop responding.

The vulnerability from Microsoft's perspective

To exploit this vulnerability, an attacker would have to have access to at least one client and one domain that responds with a large set of reference records without glue records that point to external victim subdomains. When resolving a name from the attacker's client, the resolver contacts the victim's domain for each reference record found. This action can generate a large number of communications between the recursive resolver and the victim's authoritative DNS server to trigger a Distributed Denial of Service (DDoS) attack.

The NXNSAttack

If I haven't got it wrong, this should be the NXNSAttack problem (amplification attacks on the name servers) linked in the above tweet

Microsoft has outlined workarounds and workarounds that administrators can use to mitigate the problem in ADV200009. It boils down to the Response Rate Limit. Microsoft has described this in this document.

Advertising
This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).