High
CVE-2021-26897
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
High
(1 user assessed)Moderate
(1 user assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Windows DNS Server Remote Code Execution Vulnerability
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
Vulnerability Overview
0patch released a blog article about their micro patch concerning CVE-2021-26897. It describes the root cause as
CVE-2021-26897 is a buffer overflow issue, whereby a series of oversized “dynamic update” DNS queries with SIG (signature) records causes writing beyond the buffer boundary when these records are saved to file.
According to the blog article the record saves happen
- periodically or
- when the DNS service stops
The analysis of 0patch was based on an article from the McAfee Labs. They provided enough information to enable 0patch to gain understanding were the vulnerability is located.
Successful exploitation of this vulnerability results in running code with Local System privileges. A attacker does need a domain joined computer and have access to a DNS server. The configuration of the DNS server needs to have Dynamic Updates activated.
In an Active Directory environment Dynamic Updates are enabled by default. The default setting secure dynamic updates only allows domain joined computers to update a DNS zone.
Score reasoning
I rated the Attack Value pretty high. Successful exploitation provides adversaries with high privileged access to domain controllers.
The Exploitability score is based on the fact, that the vulnerability can be reversed through public resources and seems to be a buffer overflow. Nevertheless the broader mass of adversaries might be waiting for a detailed writeup or P-o-C and act opportunistic.
Sources:
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows server 2008 r2,
- windows server 2008 sp2,
- windows server 2012 -,
- windows server 2012 r2,
- windows server 2016 -,
- windows server 2016 1909,
- windows server 2016 2004,
- windows server 2016 20h2,
- windows server 2019 -
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: