{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-014.pdf"
    },
    "title": "Vulnerabilities in Microsoft DNS Server",
    "serial_number": "2021-014",
    "publish_date": "10-03-2021 21:39:00",
    "description": "On the 9th or March 2021, Microsoft released several security advisories for Windows DNS Server. Five of those vulnerabilities would allow a remote attacker to execute code on the target if the DNS service is exposed. One of them is considered as critical by Microsoft (CVE-2021-26897).<br>No proof-of-concept or ongoing exploitation of these vulnerabilities are public yet. However, because of the potential impact of the vulnerabilities and the fact that to be vulnerable, a DNS server would need to have dynamic updates enabled, which is the default configuration, it is highly recommended to apply the patches as soon as possible.<br>Enabling Secure Zone Updates would protect from attacks on public-facing interfaces, but not from an attacker with a foothold on the network (domain-joined computer).",
    "url_title": "2021-014",
    "content_markdown": "---\ntitle: 'Vulnerabilities in\u00a0Microsoft\u00a0DNS Server'\nversion: '1.0'\nnumber: '2021-014'\ndate: 'March 10, 2021'\n---\n\n_History:_\n\n* _10/03/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn the 9th or March 2021, Microsoft released several security advisories for Windows DNS Server. Five of those vulnerabilities would allow a remote attacker to execute code on the target if the DNS service is exposed [1, 2, 3, 4, 5]. One of them is considered as critical by Microsoft (CVE-2021-26897) [1].\n\nNo proof-of-concept or ongoing exploitation of these vulnerabilities are public yet. However, because of the potential impact of the vulnerabilities and the fact that to be vulnerable, a DNS server would need to have dynamic updates enabled, which is the default configuration, it is highly recommended to **apply the patches as soon as possible**.\n\nEnabling Secure Zone Updates would protect from attacks on public-facing interfaces, but not from an attacker with a foothold on the network (domain-joined computer).\n\n# Technical Details\n\nAll five vulnerabilities have the same descriptions by Microsoft, however McAffee provided technical analysis for CVE-2021-26877 and CVE-2021-26897 [6].\n\nThe vulnerability identified as critical by Microsoft (CVE-2021-26897) is triggered when many consecutive Signature RRs Dynamic Updates are sent to the DNS server leading to a write on the heap when the updates are combined into base64-encoded strings before writing to the zone file.\n\nThe other analysed vulnerability (CVE-2021-26877) is triggered when a zone is updated with a TXT RR that has a `TXT length` greater than `Data length`.\n\n# Affected Products\n\n* Windows Server 2016\n* Windows Server 2019\n* Windows Server 2012 (including R2)\n* Windows Server 2008 (including R2, R2 SP1 and R2 SP2)\n* Windows Server, version 2004\n* Windows Server, version 1909\n* Windows Server, version 20H2\n\nTo be exploitable, the server needs to have the DNS role enabled with Dynamic Update enabled (default configuration).\n\n# Recommendations\n\nApply the patches as soon as possible [2]. It is recommended to prioritise the updates on Internet-facing Windows DNS Servers.\n\n## Mitigation\n\nTwo mitigation can be done in order to limit the exploitability of the vulnerabilities:\n\n- Deactivating Dynamic Update feature.\n- Enabling Secure Zone Updates to limit the exploitability.\n\n# References\n\n[1] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26897>\n\n[2] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26895>\n\n[3] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26894>\n\n[4] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26893>\n\n[5] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26877>\n\n[6] <https://www.mcafee.com/blogs/other-blogs/mcafee-labs/seven-windows-wonders-critical-vulnerabilities-in-dns-dynamic-updates/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>10/03/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On the 9th or March 2021, Microsoft released several security advisories for Windows DNS Server. Five of those vulnerabilities would allow a remote attacker to execute code on the target if the DNS service is exposed [1, 2, 3, 4, 5]. One of them is considered as critical by Microsoft (CVE-2021-26897) [1].</p><p>No proof-of-concept or ongoing exploitation of these vulnerabilities are public yet. However, because of the potential impact of the vulnerabilities and the fact that to be vulnerable, a DNS server would need to have dynamic updates enabled, which is the default configuration, it is highly recommended to <strong>apply the patches as soon as possible</strong>.</p><p>Enabling Secure Zone Updates would protect from attacks on public-facing interfaces, but not from an attacker with a foothold on the network (domain-joined computer).</p><h2 id=\"technical-details\">Technical Details</h2><p>All five vulnerabilities have the same descriptions by Microsoft, however McAffee provided technical analysis for CVE-2021-26877 and CVE-2021-26897 [6].</p><p>The vulnerability identified as critical by Microsoft (CVE-2021-26897) is triggered when many consecutive Signature RRs Dynamic Updates are sent to the DNS server leading to a write on the heap when the updates are combined into base64-encoded strings before writing to the zone file.</p><p>The other analysed vulnerability (CVE-2021-26877) is triggered when a zone is updated with a TXT RR that has a <code>TXT length</code> greater than <code>Data length</code>.</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>Windows Server 2016</li><li>Windows Server 2019</li><li>Windows Server 2012 (including R2)</li><li>Windows Server 2008 (including R2, R2 SP1 and R2 SP2)</li><li>Windows Server, version 2004</li><li>Windows Server, version 1909</li><li>Windows Server, version 20H2</li></ul><p>To be exploitable, the server needs to have the DNS role enabled with Dynamic Update enabled (default configuration).</p><h2 id=\"recommendations\">Recommendations</h2><p>Apply the patches as soon as possible [2]. It is recommended to prioritise the updates on Internet-facing Windows DNS Servers.</p><h3 id=\"mitigation\">Mitigation</h3><p>Two mitigation can be done in order to limit the exploitability of the vulnerabilities:</p><ul><li>Deactivating Dynamic Update feature.</li><li>Enabling Secure Zone Updates to limit the exploitability.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26897\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26897</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26895\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26895</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26894\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26894</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26893\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26893</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26877\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26877</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/seven-windows-wonders-critical-vulnerabilities-in-dns-dynamic-updates/\">https://www.mcafee.com/blogs/other-blogs/mcafee-labs/seven-windows-wonders-critical-vulnerabilities-in-dns-dynamic-updates/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}