Microsoft has released a patch to resolve a critical remote code execution vulnerability that has lived in the DNS server code for 17 years.
A blog post from the Microsoft Security Response Centre states:
Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected.
Since DNS servers are, necessarily, exposed to the Internet this vulnerability deserves urgent attention to install the patch or follow the mitigation steps published by Microsoft.
The flaw is described as ‘wormable,’ this means a single compromised DNS server could be leveraged to then attack and compromise other servers on the same network without user interaction.
The vulnerability lies in the Microsoft DNS server code and is not a problem with the DNS protocol itself. Only the DNS Server software is affected, client Windows 10 PC are not vulnerable.
With the severity of the flaw, Microsoft has issued patches for all versions of its server software back to Server 2004.