Patch Your DNS Servers! SigRed

KB ID 0001687

Problem

WARNING: This is rated 10 on the CVSS scale.

Affected Server OS: Windows 2003, Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2, Windows 2016, Windows 2019

Yesterday Microsoft released a critical notice (KB4569509) to address vulnerabilities identified in (CVE-2020-1350). Basically it allows a remote attacker to perform remote code execution on your DNS servers (unless you patch them!) The reason its so important is that its considered ‘wormable’, (can jump from machine to machine with our user interaction).

To see how easy that is to do, watch the video below;

To be attacked from an external source the DNS Server has to be publicly addressable, however if you have a compromised machine in your network, it wont be long before a malicious payload can be delivered from that vector also.

Solution

The correct fix is to update you servers from Windows Update as soon as possible! However if you want to protect yourself in the interim.

You need to make a slight change in the Windows DNS Server registry. I’ve written the PowerShell out, to save you poking around in the registry, it will change the key for you, and then restart the DNS Service.

[box]

# Set DNS Registry Key (Vulnerability CVE-2020-1350)
$RegKey ="HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters"
Set-ItemProperty -Path $RegKey -Name TcpReceivePacketSize  -Value 0xFF00
Get-ItemProperty -Path. -Name TcpReceivePacketSize
Restart-Service DNS

[/box]

If you have a Cisco Firewall you can use the default DNS inspection to mitigate this, RFC 1035 define DNS packets should be less than 512 bytes. But Window uses EDNS so you may have “message-length maximum client auto” in your config, If you remove that, and change the maximum allowed size to 65280 you will mitigate THIS problem. Though I don’t like that as a solution, (unless you have a lot of DNS servers to update, and want to throw in a quick fix while you patch them all). 

Note: This vulnerability has existed for 17 years! But now it’s public knowledge, so the clock is ticking before it gets exploited, ACT NOW!

Related Articles, References, Credits, or External Links

NA

vSphere – Virtual Machine Will Not ‘Power Off’ (Hangs at 95%)

KB ID 0000911 

Problem

I had a virtual machine crash on me, while I was doing some work on it As I was unable to shut it down gracefully, I attempted to ‘Power Off’. It progressed to 95% and stopped there.

Expecting it to ‘time out’, I carried on with some other work and kept an eye on it. 30 minutes later there was still no progress.

Solution

1. Enable SSH access on the ESX host that is hosting the problem VM.

2. Connect to the ESX host via SSH, and logon as root. Execute the following command to see all the running VMs on this host, and list their world ID numbers.

[box]

esxcli vm process list[/box]

 

3. Once you have the World ID of the problem VM, you can attempt to power it off with the following command;

[box]

Syntax

esxcli vm process kill --type {soft,hard,force} --world-id {ID Number}
Example

esxcli vm process kill –type hard –world-id 1397444

 

[/box]

4. Check, and your VM should now be powered off.

If That Didn’t Work (How to Kill a VM)

Note: This is a last resort.

1. Issue the following command to locate the Process ID’s that are associated with the problem VM.

[box]

Syntax

ps | grep "VM Name"

Example

ps | grep "2012 Test"

[/box]

You will get all the processes, and they are preceded by two columns of numbers, the first column contains the individual PID’s. The second column is the PID for the parent process, this is the one you need.

2. Armed with your PID, you need to terminate that parent process with the following command;

[box]

Syntax

kill {PID}
Example

kill 1398644

[/box]

3. Check, and your VM should now be powered off.

Related Articles, References, Credits, or External Links

NA