You’re going to see a lot of sand flying about a Windows security hole that was plugged yesterday. Here’s what most people need to know about CVE-2020
[See the full post at: FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective]
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective
- This topic has 29 replies, 13 voices, and was last updated 4 years, 10 months ago.
AuthorViewing 11 reply threadsAuthor-
more info on the registry edit from the horses mouth:
https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerabilityWorkaround
To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
TcpReceivePacketSize
Value = 0xFF00
Note You must restart the DNS Service for the registry change to take effect.
The Default (also max) Value = 0xFFFF
The Recommended Value = 0xFF00 (255 bytes less than the max)After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
Windows - commercial by definition and now function...4 users thanked author for this post.
-
I did the TcpReceivePacketSize registry edit on my 2008R2 server, and I also installed KB4565540 on my 2012R2 server. After the reboot I’m not seeing a TcpReceivePacketSize entry on my 2012R2 server, does the KB4565540 update solve the DNS issue a different way?
Thank you.
-
-
FAQs in the guidance document recommend removing the registry workaround after a server has been patched, so the patch must solve the underlying issue rather than rely on the temporary packet size restriction.
1 user thanked author for this post.
-
-
-
-
-
-
If it’s a published microsoft, article I would think so.
0Patch will probably issue something also given the severity of the potential. Perhaps implement the workaround in preperation for 0Patch or Microsoft, whichever lands first.Windows - commercial by definition and now function...
-
-
All of our DNS servers are 2012r2. I was able to update and reboot one of them today and the rest of them will be updated after hours this evening. I don’t foresee any issues but if I do I will follow up on this post tomorrow. If you don’t hear back then I would say no issues to report with the DNS server patches.
All other updates are on hold of course, for now.
Red Ruffnsore
3 users thanked author for this post.
-
I had no issues updating all servers overnight. Including the .net patches and the IE11 update for 2012r2. This includes 2012r2, 2016, and 2019 servers. All dns servers updated.
Disclaimer – your mileage may vary.
Red Ruffnsore
2 users thanked author for this post.
My team patched many servers early this morning, none had issues. Even our notoriously cranky Server 2016 machines patched quickly and easily this time around.
~ Group "Weekend" ~
2 users thanked author for this post.
-
-
That was a fun ride.
Spun up an orphaned HyperV image of an old Server 2008 R2 application server. I want to emphasize this is a pretty plain-jane server config: It does NOT have any advanced roles like Active Directory / Domain Controller installed. It was a print and application server only. Also of note is I let Windows Update catch it up to January 2020 before the following experiment.
1) Downloaded the MSU via Catalog link for Server 2008 R2 listed at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
2) Tried to install it and failed with this message:
Note: Clicking that blue link in the error took me to a VERY outdated Microsoft page, which subsequently led down a rabbit hole of obsolete downloads for Service Stack editions dating circa 2011 . . . (in other words, don’t bother!)
3) Circled around and found the Server 2008 R2 July 2020 Service stack update for ESU customers at http://www.catalog.update.microsoft.com/Search.aspx?q=KB4565354 and successfully installed that. (Note: I do not have ESU on this machine, nor was ESU simulated per other sources available on this site.)
4) After that step, I was able to successfully install the July 2020 Rollup on this machine.
(It did provide a success message, but that window didn’t include the KB number.)Remember class, this was NOT on a production server – after this test I shut it down and relegated the HyperV image back to storage. All disclaimers apply here.
TL:DR – it appears Microsoft is not blocking this update for Server 2008 R2.
But – it failed on reboot (see next message)
~ Group "Weekend" ~
-
So I had a thought and went to spin that HyperV machine back up to check on something — and it’s a good thing I did! It powered up on the second phase install of the July Rollup and presented me with this:
Once it recovered, the Update history shows:
I suspect either a per-requisite patch after Jan 2020 is missing (in spite of the fact that roll-ups are supposed to include that stuff) OR this patch doesn’t check ESU status until the reboot – which is playing nasty since this is openly available on the Microsoft Catalog.
If I have time will dig deeper in a few days.
~ Group "Weekend" ~
-
Viewing 11 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
AMD : Out of Bounds (OOB) read vulnerability in TPM 2.0 CVE-2025-2884
by 2 hours, 17 minutes ago
-
Totally remove or disable BitLocker
by 1 hour, 11 minutes ago
-
Windows 10 gets 6 years of ESU?
by 1 hour, 18 minutes ago
-
Apple, Google stores still offer China-based VPNs, report says
by 13 hours, 4 minutes ago
-
Search Forums only bring up my posts?
by 13 hours, 17 minutes ago
-
Windows Spotlight broken on Enterprise and Pro for Workstations?
by 1 day ago
-
Denmark wants to dump Microsoft for Linux + LibreOffice
by 17 hours, 23 minutes ago
-
How to get Microsoft Defender to honor Group Policy Setting
by 1 day, 1 hour ago
-
Apple : Paragon’s iOS Mercenary Spyware Finds Journalists Target
by 1 day, 11 hours ago
-
Music : The Rose Room – It’s Been A Long, Long Time album
by 1 day, 12 hours ago
-
Disengage Bitlocker
by 1 day, 2 hours ago
-
Mac Mini M2 Service Program for No Power Issue
by 1 day, 14 hours ago
-
New Win 11 Pro Geekom Setup questions
by 13 hours, 13 minutes ago
-
Windows 11 Insider Preview build 26200.5651 released to DEV
by 1 day, 21 hours ago
-
Windows 11 Insider Preview build 26120.4441 (24H2) released to BETA
by 1 day, 21 hours ago
-
iOS 26,, MacOS 26 : Create your own AI chatbot
by 2 days, 1 hour ago
-
New PC transfer program recommendations?
by 6 hours, 43 minutes ago
-
Windows 11 Insider Preview Build 22631.5545 (23H2) released to Release Preview
by 2 days, 5 hours ago
-
Windows 10 Build 19045.6029 (22H2) to Release Preview Channel
by 2 days, 5 hours ago
-
Best tools for upgrading a Windows 10 to an 11
by 1 day, 18 hours ago
-
The end of Windows 10 is approaching, consider Linux and LibreOffice
by 22 hours, 16 minutes ago
-
Extended Windows Built-in Disk Cleanup Utility
by 1 day, 7 hours ago
-
Win 11 24H2 June 2025 Update breaks WIFI
by 3 days ago
-
Update from WinPro 10 v. 1511 on T460p?
by 1 day, 22 hours ago
-
System Restore and Updates Paused
by 3 days, 3 hours ago
-
Windows 10/11 clock app
by 2 days, 14 hours ago
-
Turn off right-click draw
by 3 days, 6 hours ago
-
Introducing ChromeOS M137 to The Stable Channel
by 3 days, 10 hours ago
-
Brian Wilson (The Beach Boys) R.I.P
by 16 hours, 49 minutes ago
-
Master patch listing for June 10, 2025
by 3 days, 11 hours ago
Remembering Woody
