On July 14, 2020, Alibaba Cloud emergency response center detected that Microsoft released a patch for a DNS server remote code execution vulnerability (CVE-2020-1350). This vulnerability is officially defined by Microsoft as a wormable high-risk vulnerability.

Unauthenticated attackers can exploit this vulnerability to send specially constructed packets to the target DNS server for remote code execution. If the DNS service is provided by a domain controller, the attackers can exploit this vulnerability to gain system privileges on the domain controller. We recommend that Windows users take security measures as soon as possible to prevent this vulnerability.

Scope of impact:
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core)
  • Windows Server 2012
  • Windows Server 2012 (Server Core)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core)
  • Windows Server 2016
  • Windows Server 2016 (Server Core)
  • Windows Server 2019
  • Windows Server 2019 (Server Core)
  • Windows Server, version 1903 (Server Core)
  • Windows Server, version 1909 (Server Core)
  • Windows Server, version 2004 (Server Core)

Risk level: high

Rule-based defense: A virtual patch is available in the Cloud Firewall console to defend against this vulnerability.

Rule type: command execution

Security suggestions:
  • Temporary solution: Change the value of TcpReceivePacketSize to 0xFF00 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters, and restart the DNS service.
  • Go to the Microsoft official website to download the security patch and install the patch.
  • Use the Intrusion Prevention feature of Cloud Firewall.