What you need to know
Vulnerability Background and Overview
On Wednesday December 11, 2018 Microsoft released a security advisory for CVE-2018-8626 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626) in parallel with a ‘Critical’ security update to address the issue. The Microsoft advisory contains very little information regarding the specific nature of the vulnerability, only that:
- It affects systems running the Microsoft Domain Name Server (DNS) Service.
- The exploit code has not been publicly disclosed.
- It is not known to be exploited in the wild yet.
- There are no current workarounds available, other than applying the patch.
- It can be remotely exploited by an unauthenticated attacker via a malicious DNS request.
- There is a patch for Windows 10, Windows Server 2012R2, Server 2016, and Server 2019.
The technical information available on the nature of the issue and exploit, at present, is only that it’s a heap-based buffer overflow. Since the Microsoft DNS Service runs as ‘Local System’, there is an immediate escalation of privileges on impacted systems. Furthermore, in most organizations, the DNS service runs on Domain Controllers, thus increasing the risk to a vulnerable organization. Domain Controllers provide critical authentication functions via Microsoft Active Directory.
What should you do?
BTB recommends organizations immediately patch vulnerable hosts—internally and externally.
What should you do… RIGHT NOW?
Drink some coffee and patch all vulnerable hosts.
- While Domain Controllers are typically located on an “internal” (i.e., not Internet facing) network, an attacker may leverage other means to effectively exploit this vulnerability (i.e., phishing with remote access payloads).
- Microsoft Windows DNS servers may be Internet-facing, greatly increasing the risk profile and likelihood of exploitation.
- Occasionally, patch management processes delay patching production Domain Controllers—by prioritizing other hosts (such as development systems, workstations, or less critical servers), consider adjusting the testing and patching process for this emergency patch cycle.
What is BTB Security doing?
BTB Security’s RIOT Labs is currently researching Indicators of Compromise (IOCs), and when available, will be integrating them into RADAR to protect our clients. For current BTB Security customers, we can scan external hosts for this vulnerability at no cost. Please send an email to firstname.lastname@example.org to request the scan.
- Microsoft Advisory - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626
- BTB Security - https://www.btbsecurity.com