MS-ISAC CYBERSECURITY ADVISORIES
MS-ISAC ADVISORY NUMBER:
Vulnerability in Microsoft DNS Server Could Allow for Remote Code Execution (MS16-071)
A vulnerability has been discovered in Microsoftâ€™s Windows Domain Name System (DNS) Server, which could allow for remote code execution. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the Local System Account. Depending on the privileges associated with this account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are currently no reports of these vulnerabilities being exploited in the wild.
- Windows Server 2012, R2, and Server Core Installations
- Large and medium government entities:High
- Small government entities:Medium
- Large and medium business entities:High
- Small business entities:Medium
Home users: Low
A remote code execution vulnerability was discovered in Windows DNS Server when it fails to properly handle specially crafted DNS requests (CVE-2016-3227). This vulnerability can be exploited if an attacker issues a malicious request to a vulnerable Windows server configured as a DNS server.
Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the Local System Account. Depending on the privileges associated with this account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
We recommend the following actions be taken:
- Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Implement logging and monitor logs to ensure that only authorized users are accessing resources and identify any unauthorized modifications or unusual traffic. Store logs for a minimum of 90 days.