You’re going to see a lot of sand flying about a Windows security hole that was plugged yesterday. Here’s what most people need to know about CVE-2020
[See the full post at: FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective]
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective
- This topic has 29 replies, 13 voices, and was last updated 4 years, 10 months ago.
AuthorViewing 11 reply threadsAuthor-
more info on the registry edit from the horses mouth:
https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerabilityWorkaround
To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
TcpReceivePacketSize
Value = 0xFF00
Note You must restart the DNS Service for the registry change to take effect.
The Default (also max) Value = 0xFFFF
The Recommended Value = 0xFF00 (255 bytes less than the max)After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
Windows - commercial by definition and now function...4 users thanked author for this post.
-
I did the TcpReceivePacketSize registry edit on my 2008R2 server, and I also installed KB4565540 on my 2012R2 server. After the reboot I’m not seeing a TcpReceivePacketSize entry on my 2012R2 server, does the KB4565540 update solve the DNS issue a different way?
Thank you.
-
-
FAQs in the guidance document recommend removing the registry workaround after a server has been patched, so the patch must solve the underlying issue rather than rely on the temporary packet size restriction.
1 user thanked author for this post.
-
-
-
-
-
-
-
-
-
-
-
-
If it’s a published microsoft, article I would think so.
0Patch will probably issue something also given the severity of the potential. Perhaps implement the workaround in preperation for 0Patch or Microsoft, whichever lands first.Windows - commercial by definition and now function...
-
-
-
All of our DNS servers are 2012r2. I was able to update and reboot one of them today and the rest of them will be updated after hours this evening. I don’t foresee any issues but if I do I will follow up on this post tomorrow. If you don’t hear back then I would say no issues to report with the DNS server patches.
All other updates are on hold of course, for now.
Red Ruffnsore
3 users thanked author for this post.
-
I had no issues updating all servers overnight. Including the .net patches and the IE11 update for 2012r2. This includes 2012r2, 2016, and 2019 servers. All dns servers updated.
Disclaimer – your mileage may vary.
Red Ruffnsore
2 users thanked author for this post.
-
-
My team patched many servers early this morning, none had issues. Even our notoriously cranky Server 2016 machines patched quickly and easily this time around.
~ Group "Weekend" ~
2 users thanked author for this post.
-
-
I saw that too, and wish I had an old Server 2008 R2 to play with still. My guess is that it would manually update from the download fine. Uncertain I would want to test on a production server. Then again, if you have a 2008 R2 production server, try it, and it fails . . . it might be the kick needed to upgrade.
Wait a minute . . . I have a HyperV image backup of an old 2008 R2 from a couple years ago from a retired machine. Stand by.
~ Group "Weekend" ~
-
That was a fun ride.
Spun up an orphaned HyperV image of an old Server 2008 R2 application server. I want to emphasize this is a pretty plain-jane server config: It does NOT have any advanced roles like Active Directory / Domain Controller installed. It was a print and application server only. Also of note is I let Windows Update catch it up to January 2020 before the following experiment.
1) Downloaded the MSU via Catalog link for Server 2008 R2 listed at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
2) Tried to install it and failed with this message:
Note: Clicking that blue link in the error took me to a VERY outdated Microsoft page, which subsequently led down a rabbit hole of obsolete downloads for Service Stack editions dating circa 2011 . . . (in other words, don’t bother!)
3) Circled around and found the Server 2008 R2 July 2020 Service stack update for ESU customers at http://www.catalog.update.microsoft.com/Search.aspx?q=KB4565354 and successfully installed that. (Note: I do not have ESU on this machine, nor was ESU simulated per other sources available on this site.)
4) After that step, I was able to successfully install the July 2020 Rollup on this machine.
(It did provide a success message, but that window didn’t include the KB number.)Remember class, this was NOT on a production server – after this test I shut it down and relegated the HyperV image back to storage. All disclaimers apply here.
TL:DR – it appears Microsoft is not blocking this update for Server 2008 R2.
But – it failed on reboot (see next message)
~ Group "Weekend" ~
-
So I had a thought and went to spin that HyperV machine back up to check on something — and it’s a good thing I did! It powered up on the second phase install of the July Rollup and presented me with this:
Once it recovered, the Update history shows:
I suspect either a per-requisite patch after Jan 2020 is missing (in spite of the fact that roll-ups are supposed to include that stuff) OR this patch doesn’t check ESU status until the reboot – which is playing nasty since this is openly available on the Microsoft Catalog.
If I have time will dig deeper in a few days.
~ Group "Weekend" ~
-
-
-
-
-
-
Viewing 11 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
EchoLeak : Zero Click M365 Copilot leak sensitive information
by 35 minutes ago
-
24H2 may not be offered June updates
by 45 minutes ago
-
Acronis : Tracking Chaos RAT’s evolution (Windows, Linux)
by 13 hours, 9 minutes ago
-
Turning off OneDrive
by 17 hours, 38 minutes ago
-
June 2025 updates are out
by 19 minutes ago
-
Mozilla shutting Deep Fake Detector
by 1 day, 3 hours ago
-
Windows-Maintenance-Tool (.bat)
by 13 hours, 18 minutes ago
-
Windows 11 Insider Preview build 26200.5641 released to DEV
by 1 day, 6 hours ago
-
Windows 11 Insider Preview build 26120.4250 (24H2) released to BETA
by 1 day, 6 hours ago
-
Install Office 365 Outlook classic on new Win11 machine
by 1 day, 6 hours ago
-
win 10 to win 11 with cpu/mb replacement
by 22 hours, 20 minutes ago
-
re-install Windows Security
by 1 day, 9 hours ago
-
WWDC 2025 Recap: All of Apple’s NEW Features in 10 Minutes!
by 1 day, 13 hours ago
-
macOS Tahoe 26
by 1 day, 7 hours ago
-
Migrating from win10 to win11, instructions coming?
by 42 minutes ago
-
Device Eligibility for Apple 2026 Operating Systems due this Fall
by 22 hours, 11 minutes ago
-
Recommended watching : Mountainhead movie
by 22 hours, 55 minutes ago
-
End of support for Windows 10
by 6 hours, 26 minutes ago
-
What goes on inside an LLM
by 17 hours, 4 minutes ago
-
The risk of remote access
by 17 minutes ago
-
The cruelest month for many Office users
by 55 minutes ago
-
Tracking protection and trade-offs in Edge
by 1 day, 3 hours ago
-
Supreme Court grants DOGE access to confidential Social Security records
by 2 days, 11 hours ago
-
EaseUS Partition Master free 19.6
by 1 day, 12 hours ago
-
Microsoft : Edge is better than Chrome
by 3 days, 1 hour ago
-
The EU launched DNS4EU
by 3 days, 13 hours ago
-
Cell Phone vs. Traditional Touchtone Phone over POTS
by 3 days, 4 hours ago
-
Lost access to all my networked drives (shares) listed in My Computer
by 3 days, 19 hours ago
-
Set default size for pasted photo to word
by 4 days, 1 hour ago
-
Dedoimedo tries 24H2…
by 3 days, 13 hours ago
Remembering Woody
