Forum Discussion

snarang's avatar
snarang
Product Team
5 years ago

Critical Remote Code Execution Flaw in Windows DNS Server...

Critical Remote Code Execution Flaw in Windows DNS Server Disclosed (CVE-2020-1350) As part of the July Patch Tuesday, Microsoft patched a severe vulnerability in Windows DNS Server. CVE-2020-1350 i...
Cyber Exposure Alerts
haverkos's avatar
haverkos
Connect Contributor
5 years ago

Will the blog be updated with the 2 released plugins? Will those plugins be sharpened to reflect whether or not the registry key is set? Right now, credentialed check customers don't have one stop shopping to accurately identify vulnerable servers. Plugin 138554 has a dependency on a reg setting according to its documentation, plugin 138600 flags any server without the latest kernel regardless of the reg key workaround or whether the DNS role is installed, and the .audit only detects if the reg key workaround exists.

  • snarang's avatar
    snarang
    Product Team
    5 years ago

    Hi @Regis P​,

    Thanks for reaching out to us. The plugins you mentioned are linked under the Identifying Affected Systems section under our standard language ("A list of Tenable plugins to identify this vulnerability will appear here as they’re released.") The plugins and audit file we've produced are several ways to identify affected systems or whether or not mitigations are in place. Since there are multiple avenues of detection, we don't currently have a single "one stop shopping" way to flag vulnerable servers. We are continuing to look into other methods of detection. If you'd like to make a formal request for additional plugin coverage, please reach out to our support team so we can have your request documented. -Satnam

    • haverkos's avatar
      haverkos
      Connect Contributor
      5 years ago

      Thanks for the reply. Satnam. I'm confused though -- do individual customers really have to formally request a reliable plugin without false positives or false negatives for a critical wormable RCE vulnerability? I can imagine a number of them feel that's really table stakes for credentialed vuln scanning.

    • dennis_himic's avatar
      dennis_himic
      Connect Contributor
      5 years ago

      Plugin 138600 is identifying unpatched kernel in Windows 2012 servers that are not running DNS server and listing as vulnerable to Windows DNS Server RCE (CVE-2020-1350), is the expected?

    • Anonymous's avatar
      Anonymous
      5 years ago
      Approved

      Hello @Regis P​ , @Dennis H​ 

      We've updated our Local Check plugin 138600 - Windows DNS Server RCE (CVE-2020-1350)

      Changes will be available in the feed later today. We've added a validation that the DNS Server Feature is installed in the server.

      This capability to validate what features are enabled on a Windows Asset were available in our plugin WMI Windows Feature Enumeration (https://www.tenable.com/plugins/nessus/44871).

      Hopefully the modifications to the existing check will simplify your processes and add more clarification to the plugin being fired.

      There is also a remote check that would report based on the Microsoft DNS Server detected (138554) - Microsoft DNS Server Remote Code Execution (SIGRed). Just to note that in order to get the full Microsoft DNS server version being advertised by the server, the EnableVersionQuery DNS setting would need to be set to 1.

Recent Discussions