Microsoft DNS Server Remote Code Execution (SIGRed)

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(138554);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/03/08");

  script_cve_id("CVE-2020-1350");
  script_xref(name:"IAVA", value:"2020-A-0299");
  script_xref(name:"MSKB", value:"4558998");
  script_xref(name:"MSKB", value:"4565483");
  script_xref(name:"MSKB", value:"4565503");
  script_xref(name:"MSKB", value:"4565511");
  script_xref(name:"MSKB", value:"4565524");
  script_xref(name:"MSKB", value:"4565529");
  script_xref(name:"MSKB", value:"4565535");
  script_xref(name:"MSKB", value:"4565536");
  script_xref(name:"MSKB", value:"4565537");
  script_xref(name:"MSKB", value:"4565539");
  script_xref(name:"MSKB", value:"4565540");
  script_xref(name:"MSKB", value:"4565541");
  script_xref(name:"MSFT", value:"MS20-4558998");
  script_xref(name:"MSFT", value:"MS20-4565483");
  script_xref(name:"MSFT", value:"MS20-4565503");
  script_xref(name:"MSFT", value:"MS20-4565511");
  script_xref(name:"MSFT", value:"MS20-4565524");
  script_xref(name:"MSFT", value:"MS20-4565529");
  script_xref(name:"MSFT", value:"MS20-4565535");
  script_xref(name:"MSFT", value:"MS20-4565536");
  script_xref(name:"MSFT", value:"MS20-4565537");
  script_xref(name:"MSFT", value:"MS20-4565539");
  script_xref(name:"MSFT", value:"MS20-4565540");
  script_xref(name:"MSFT", value:"MS20-4565541");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2020/07/24");
  script_xref(name:"CEA-ID", value:"CEA-2020-0129");
  script_xref(name:"CEA-ID", value:"CEA-2020-0059");

  script_name(english:"Microsoft DNS Server Remote Code Execution (SIGRed)");

  script_set_attribute(attribute:"synopsis", value:
"The DNS server running on the remote host is affected by a
remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Microsoft DNS
Server running on the remote host is affected by a remote code
execution vulnerability. An unauthenticated, remote attacker who
successfully exploited the vulnerability could run arbitrary code in
the context of the Local System Account.

Note that in order to get the full Microsoft DNS server version, the
EnableVersionQuery DNS setting would need to be set to 1.");
  # https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?22a53c13");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, version 1903, 1909, and 2004.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1350");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"DNS");

  script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ms_dns_version.nasl");
  script_require_keys("ms_dns/version");

  exit(0);
}

include('vcf.inc');

kb_ver = 'ms_dns/version';
version = get_kb_item_or_exit(kb_ver);
port = 53;

app_info = vcf::get_app_info(app:'Microsoft DNS server', kb_ver:kb_ver, port:port);

vcf::check_granularity(app_info:app_info, sig_segments:4);

constraints = [
  # Windows Server 2008
  { 'min_version': '6.0.6003.0', 'fixed_version': '6.0.6003.20885' },

  # Windows Server 2008 R2
  { 'min_version': '6.1.7601.0', 'fixed_version': '6.1.7601.24557' },

  # Windows Sever 2012
  { 'min_version': '6.2.9200.0', 'fixed_version': '6.2.9200.23084' },

  # Windows Sever 2012 R2
  { 'min_version': '6.3.9600.0', 'fixed_version': '6.3.9600.19759' },
  
  # Windows Server 2016
  { 'min_version': '10.0.14393.0', 'fixed_version': '10.0.14393.3808' },

  # Windows Server 2019
  { 'min_version': '10.0.17763.0', 'fixed_version': '10.0.17763.1339' },

  # Windows Server, version 1903/1909
  # 1903 and 1909 have the same KB
  { 'min_version': '10.0.18362.0', 'fixed_version': '10.0.18362.959' },

  # Windows Server, version 2004
  { 'min_version': '10.0.19041.0', 'fixed_version': '10.0.19041.388' }

];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);