
CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server - nvr219
https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
======
jlgaddis
> _... this vulnerability is not currently known to be used in active attacks
> ..._

Give it 24 hours.

\---

So the problem is with TCP DNS responses larger than 65280 bytes... With a
CVSS score of 10.0, something tells me this is gonna be pretty trivial.

Get / cause the DNS server to send a legitimate (TCP-based) query to your
server, reply with a crafted response > 65280 bytes, BOOM?

I expect it shouldn't take long to figure out the issue -- and, thus, how to
craft a "magic packet", just by examining the bindiff/patch. Hell, it might
even be possible to trigger it just playing around with a TCP fuzzer!

> _We consider this to be a wormable vulnerability, meaning that it has the
> potential to spread via malware between vulnerable computers without user
> interaction._

Oh man, it should be fun to watch the fallout from this over the coming
days...

~~~
tetha
Fairly complete attack details are out already.

[https://research.checkpoint.com/2020/resolving-your-way-
into...](https://research.checkpoint.com/2020/resolving-your-way-into-domain-
admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/)

Including possible javascript vectors to trigger reflection attacks on LAN
servers. Yey. This isn't going to take days, this will be fun tomorrow.

------
buildbot
Note that this is a CVE level 10 (!!)

