Situation
There is a critical vulnerability in Windows DNS Server.
Impact
A remote unauthenticated attacker who successfully exploited the vulnerability can run arbitrary code on behalf of SYSTEM on a Windows Server. Plesk for Windows installations with installed Windows DNS Server are affected.
Affected Operating Systems
Windows Server 2019, 2016, 2012 R2, 2012. These versions are all supported by Plesk.
Call to action
Install windows updates in Windows > Start and search for Windows Updates.
Workaround #1
-
Connect to the server via RDP
-
Start CMD
-
Set the maximum length of a DNS message (over TCP) to 0xFF00:
C:> reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f
-
Restart the DNS Service:
C:> net stop DNS && net start DNS
-
After Windows updates are installed, remove the workaround:
C:> reg delete “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize”
Workaround #2
Install and use BIND DNS Server instead of Microsoft DNS Server:
-
Go to Tools & Settings > Updates > Add/Remove Components, select BIND DNS Server, and click Continue.
-
Go to Tools & Settings > Server Components > DNS Server, select BIND DNS Server, and click OK.