tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesVulnerability in Microsoft DNS Server Could Allow Remote Code Execution (MS15-127)

Vulnerability in Microsoft DNS Server Could Allow Remote Code Execution (MS15-127)

MS-ISAC ADVISORY NUMBER:

2015-140

DATE(S) ISSUED:

12/07/2015

OVERVIEW:

A vulnerability has been discovered in Microsoft’s Windows Domain Name System (DNS) Server which could allow remote code execution. Successful exploitation of this vulnerability could allow an attacker to gain elevated privileges resulting in complete control of the system

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the Local System Account. Depending on the privileges associated with the account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Windows Server 2008, R2, and Server Core Installations
  • Windows Server 2012, R2, and Server Core Installations

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

A use after free vulnerability was discovered in Windows DNS Server when it fails to properly parse specially crafted DNS requests (CVE-2015-6125). This vulnerability can be exploited if an attacker issues a malicious request to a vulnerable Windows server configured as a DNS server.

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the Local System Account. Depending on the privileges associated with the account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
Implement logging and monitor logs to ensure that only authorized users are accessing resources and identify any unauthorized modifications or unusual traffic. Store logs for a minimum of 90 days.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories