Microsoft DNS Server Vulnerability Highlights Importance of Patching
July 22nd, 2020 by James TalbotMicrosoft recently released their monthly patches for Microsoft Windows, and this months release includes fixes for 123 security flaws across 13 products. Amongst these fixes, there is a patch for Microsoft DNS Server. The patch addresses a remote code execution vulnerability, detailed under CVE-2020-1350.
This remote code execution flaw has been scored a maximum 10/10 on the CVSS scoring matrix due to its ability to be executed unauthenticated with no user interaction, and has the potential to be turned into an automated or “wormable” exploit. It also runs under the highest possible privileges as SYSTEM, meaning it has full access to the targeted machine.
The Microsoft DNS service is mainly used to support Microsoft Active Directory environments, and is routinely installed on Active Directory Domain Controllers. As this is a critical part of the core infrastructure that performs authentication and authorisation mechanisms to control access to all Domain joined systems, it is imperative that these servers are protected. A threat actor could potentially exploit a Domain Controller running DNS, elevate their rights to become a Domain Administrator, then laterally move to every other system in the network that is Domain joined or uses Active Directory as a trusted authentication source. This can include SaaS based applications (such as Office 365), Linux servers integrated with Samba, network devices via RADIUS, amongst others.
Security fixes such as these are a regular occurrence. The WannaCry outbreak is a good example of threat actors exploiting unpatched systems when a fix is available. While Microsoft had released patches previously to close the exploit, much of WannaCry’s spread was from organisations that had not applied these, or were using older Windows systems that were past their end-of-life. The attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of pounds; all because they were not patched.
Why Patching is Important
Businesses rely on their information technology infrastructure to operate their business effectively, save money, and increase profitability. However, the growing threat of malicious virus and ransomware attacks in recent years has forced businesses to re-evaluate their security posture.
Microsoft produce regular security patches for their system vulnerabilities and research has shown that the most efficient way to be protected against attacks is to ensure that every machine in the environment has the latest patches installed. If just one computer in the environment is not patched, it can threaten the stability of the entire environment and possibly inhibit normal functionality.
For maximum protection you need a solution that manages patches for Microsoft operating systems and applications in an automated, yet stringently controlled process.
Patching is a key part of the Government’s security guidance as part of Cyber Essentials, for more information visit www.cyberessentials.ncsc.gov.uk.
Patch Management as a Service
Some Managed Service Providers, including BrightCloud, have designed patch management services to remove the burden of managing patching cycles for virtual or physical server estates. Benefits of a patch management service include:
- No need to resource time-consuming patching operations
- Allows you to act quickly when new vulnerabilities are discovered
- Servers can be patched remotely
- Patching can happen on a schedule that suits you
The BrightCloud Approach
BrightCloud manage the entire patching process for all of your physical or virtual servers (VMware or Hyper-V). We can patch servers directly from our management console via a secure VPN from our ISO9001/27001 certified datacentre, with management from our Network Operations Centre (NOC) in Daventry. Alternatively we can leverage the power of a remote agent connecting via a cloud proxy to automatically deploy patches with no user intervention and without the need for any firewall/VPN changes.
We work with you to categorise your server estate into high, medium and low risk categories based on the likelihood of an installed patch causing issues with an application, and then tailor the patching process to suit. This will generally involve patching different groups of servers on different dates with the most crucial servers usually patched later in the month to allow any issues to be identified before they have a chance to impact critical business operations.
Low risk server groups can be automatically patched with no user testing required, whereas high risk server groups may need service monitoring, script execution or user testing post patch.
In addition to these precautions BrightCloud always start by patching solely security updates which are generally less likely to cause issues with the operating system however should you require additional patching such as feature-based updates we can work with you to include these in the patching cycles.