CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
99.3%
According to its self-reported version number, the Microsoft DNS Server running on the remote host is affected by a remote code execution vulnerability. An unauthenticated, remote attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.
Note that in order to get the full Microsoft DNS server version, the EnableVersionQuery DNS setting would need to be set to 1.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(138554);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/03/08");
script_cve_id("CVE-2020-1350");
script_xref(name:"IAVA", value:"2020-A-0299");
script_xref(name:"MSKB", value:"4558998");
script_xref(name:"MSKB", value:"4565483");
script_xref(name:"MSKB", value:"4565503");
script_xref(name:"MSKB", value:"4565511");
script_xref(name:"MSKB", value:"4565524");
script_xref(name:"MSKB", value:"4565529");
script_xref(name:"MSKB", value:"4565535");
script_xref(name:"MSKB", value:"4565536");
script_xref(name:"MSKB", value:"4565537");
script_xref(name:"MSKB", value:"4565539");
script_xref(name:"MSKB", value:"4565540");
script_xref(name:"MSKB", value:"4565541");
script_xref(name:"MSFT", value:"MS20-4558998");
script_xref(name:"MSFT", value:"MS20-4565483");
script_xref(name:"MSFT", value:"MS20-4565503");
script_xref(name:"MSFT", value:"MS20-4565511");
script_xref(name:"MSFT", value:"MS20-4565524");
script_xref(name:"MSFT", value:"MS20-4565529");
script_xref(name:"MSFT", value:"MS20-4565535");
script_xref(name:"MSFT", value:"MS20-4565536");
script_xref(name:"MSFT", value:"MS20-4565537");
script_xref(name:"MSFT", value:"MS20-4565539");
script_xref(name:"MSFT", value:"MS20-4565540");
script_xref(name:"MSFT", value:"MS20-4565541");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2020/07/24");
script_xref(name:"CEA-ID", value:"CEA-2020-0129");
script_xref(name:"CEA-ID", value:"CEA-2020-0059");
script_name(english:"Microsoft DNS Server Remote Code Execution (SIGRed)");
script_set_attribute(attribute:"synopsis", value:
"The DNS server running on the remote host is affected by a
remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Microsoft DNS
Server running on the remote host is affected by a remote code
execution vulnerability. An unauthenticated, remote attacker who
successfully exploited the vulnerability could run arbitrary code in
the context of the Local System Account.
Note that in order to get the full Microsoft DNS server version, the
EnableVersionQuery DNS setting would need to be set to 1.");
# https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?22a53c13");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, version 1903, 1909, and 2004.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1350");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/14");
script_set_attribute(attribute:"patch_publication_date", value:"2020/07/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"DNS");
script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ms_dns_version.nasl");
script_require_keys("ms_dns/version");
exit(0);
}
include('vcf.inc');
kb_ver = 'ms_dns/version';
version = get_kb_item_or_exit(kb_ver);
port = 53;
app_info = vcf::get_app_info(app:'Microsoft DNS server', kb_ver:kb_ver, port:port);
vcf::check_granularity(app_info:app_info, sig_segments:4);
constraints = [
# Windows Server 2008
{ 'min_version': '6.0.6003.0', 'fixed_version': '6.0.6003.20885' },
# Windows Server 2008 R2
{ 'min_version': '6.1.7601.0', 'fixed_version': '6.1.7601.24557' },
# Windows Sever 2012
{ 'min_version': '6.2.9200.0', 'fixed_version': '6.2.9200.23084' },
# Windows Sever 2012 R2
{ 'min_version': '6.3.9600.0', 'fixed_version': '6.3.9600.19759' },
# Windows Server 2016
{ 'min_version': '10.0.14393.0', 'fixed_version': '10.0.14393.3808' },
# Windows Server 2019
{ 'min_version': '10.0.17763.0', 'fixed_version': '10.0.17763.1339' },
# Windows Server, version 1903/1909
# 1903 and 1909 have the same KB
{ 'min_version': '10.0.18362.0', 'fixed_version': '10.0.18362.959' },
# Windows Server, version 2004
{ 'min_version': '10.0.19041.0', 'fixed_version': '10.0.19041.388' }
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
99.3%