# This script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof. # # This .audit addresses a temporary stop gap in targets where the patch is not installed or feasible to install in a timely manner. # # Sources for additional information: # https://www.tenable.com/blog/cve-2020-1350-wormable-remote-code-execution-vulnerability-in-windows-dns-server-sigred # https://www.tenable.com/cve/CVE-2020-1350 # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 # https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability # type : AUDIT_POWERSHELL description : "Check for the DNS service" value_type : POLICY_TEXT value_data : "Pass" powershell_args : "$service=$(get-service | where {$_.Name -like 'dns'}); if($service) { $result='Pass' } else { $result='Fail'}; $result" type : REGISTRY_SETTING description : "CVE-2020-1350 - TCPReceivePacketSize Registry Setting" info : "This check looks for the existence of a temporary workaround advised by Microsoft until CVE-2020-1350 patches are in place." solution : "From https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability: To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet that's allowed: Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters Value: TcpReceivePacketSize Type: DWORD Value data: 0xFF00 Notes The default (also maximum) Value data = 0xFFFF. The recommended Value data = 0xFF00 (255 bytes less than the maximum). You must restart the DNS Service for the registry change to take effect. To do this, run the following command at an elevated command prompt: net stop dns && net start dns After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients if the DNS response from the upstream server is larger than 65,280 bytes." value_type : POLICY_DWORD value_data : 65280 reg_key : "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" reg_item : "TCPReceivePacketSize" reg_option : CAN_NOT_BE_NULL description : "CVE-2020-1350 - TCPReceivePacketSize Registry Setting" info : "The Windows DNS service was not found. This check is not applicable."