![]() ![]() Table 2: Threat Actor access relative to deployment models and system impact Table 2 summarizes DNS Dynamic Update deployment models relative to the opportunity these RCE vulnerabilities present. We are not aware of any exploitation in the wild of these vulnerabilities so we must focus on the access capabilities, i.e., close the door on the threat actor opportunity. Attack er must craft request to DNS server and supply a target Zone in requestįrom a Threat Model perspective, we must consider Threat Actor motives, capabilities, and access/opportunity, so you can understand the risk relative to your environment.Standalone DNS Server (secure/nonsecure config).Attacker must craft request to DNS server and supply a target Zone in request.A DNS server must accept write requests to at least one Zone (typically a primary DNS server only allows Zone RR writes but there are misconfigurations and secondary servers which can negate this).AD Integrated DNS Dynamic Updates (default config of secure updates).Insecure Dynamic Zone Update allows any machine to update RRs without any authentication (not recommended). In addition, more granular controls can be applied on what principal can perform Dynamic Zone Updates. Secure Dynamic Zone Update verifies that all RR updates are digitally signed using GSS-TSIG from a domain-joined machine. When DNS is deployed as AD integrated, the Dynamic Zone Update feature is enabled in secure mode by default. When DNS is deployed as a standalone server, the Dynamic Zone Update feature is disabled by default but can be enabled in secure/nonsecure mode. When creating a Zone on a DNS server there is an option to enable or disable DNS Dynamic Zone Updates. Best practice is to deploy DNS integrated with (AD) so it can avail itself of Microsoft security such as Kerberos and GSS-TSIG. The Dynamic Zone Update feature can be deployed on a standalone DNS server or an Active Directory (AD) integrated DNS server. The DNS Dynamic Zone Update feature allows a client to update its Resource Records (RRs) on a Primary DNS Authoritative Server, such as when it changes its IP address these clients are typically Certificate Authority (CA) and DHCP servers. Table 1: DNS Transaction Threats and Security Objectives The seven DNS vulnerabilities are within the Dynamic Update DNS transaction feature of Windows DNS Software. Per Table 1 below, Dynamic Update is one of the four DNS Transaction types. The platform threats can be classed as either DNS Host Platform or DNS Software Threats. ![]() ![]() ![]() Per the NIST “ Secure Domain Name System (DNS) Deployment Guide”, DNS threats can be divided into Platform and Transaction Threats. DNS Dynamic Updates, Threats and Deployment In addition, we have developed signatures for CVE-2021-26877 and CVE-2021-26897 which are rated as “exploitation more likely” by Microsoft. If you cannot patch, we recommend you prioritize evaluating your exposure. We highly recommend you urgently patch your Windows DNS servers if you are using Dynamic Updates. While CVSS is a great tool for technical scoring, it needs to be taken in context with your DNS deployment environment to understand your risk which we discuss below. Successful exploitation of these vulnerabilities would lead to RCE on a Primary Authoritative DNS server. We confirmed from our analysis of CVE-2021-26877 and CVE-2021-26897, in addition to further clarification from Microsoft, that none of the five DNS RCE vulnerabilities are wormable.ĬVE-2021-26877, CVE-2021-26897 (exploitation more likely)ĬVE-2021-26893, CVE-2021-26894, CVE-2021-26895 (exploitation less likely)ĬVE-2021-26896, CVE-2021-27063 (exploitation less likely)Ī critical CVSS score of 9.8 means that an attacker can remotely compromise a DNS server with no authentication or user interaction required. Microsoft subsequently confirmed that all seven of the DNS vulnerabilities are within the Dynamic Zone Update activity. Microsoft shared detection guidance and proofs of concept with MAPP members for two of the RCE vulnerabilities, CVE-2021-26877 and CVE-2021-26897, which we have confirmed to be within the DNS Dynamic Zone Update activity. Five of the vulnerabilities are remote code execution (RCE) with critical CVSS (Common Vulnerability Scoring Standard) scores of 9.8, while the remaining two are denial of service (DoS). For the March 2021 Patch Tuesday, Microsoft released a set of seven DNS vulnerabilities. ![]()
0 Comments
Leave a Reply. |