Vulnerabilities > CVE-2016-3227 - DNS Use After Free Remote Code Execution vulnerability in Microsoft Windows Server 2012 R2

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus
NVD
Published: 2016-06-16
Updated: 2019-05-08

Summary

Use-after-free vulnerability in the DNS Server component in Microsoft Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted requests, aka "Windows DNS Server Use After Free Vulnerability." <a href="http://cwe.mitre.org/data/definitions/416.html">CWE-416: Use After Free</a>

Vulnerable Configurations

Part Description Count
OS
Microsoft
4

Msbulletin

bulletin_idMS16-071
bulletin_url
date2016-06-14T00:00:00
impactRemote Code Execution
knowledgebase_id3164065
knowledgebase_url
severityCritical
titleSecurity Update for Microsoft Windows DNS Server

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS16-071.NASL
descriptionThe remote Windows host is affected by a remote code execution vulnerability in the Windows Domain Name System (DNS) server due to improper handling of DNS requests. An unauthenticated, remote attacker can exploit this, via specially crafted DNS requests, to execute arbitrary code in the context of the Local System Account.
last seen2020-06-01
modified2020-06-02
plugin id91599
published2016-06-14
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/91599
titleMS16-071: Security Update for Microsoft Windows DNS Server (3164065)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(91599);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/19");

  script_cve_id("CVE-2016-3227");
  script_bugtraq_id(91117);
  script_xref(name:"MSFT", value:"MS16-071");
  script_xref(name:"MSKB", value:"3161951");
  script_xref(name:"MSKB", value:"3164065");
  script_xref(name:"IAVA", value:"2016-A-0153");

  script_name(english:"MS16-071: Security Update for Microsoft Windows DNS Server (3164065)");
  script_summary(english:"Checks the version of dns.exe.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by a remote code execution
vulnerability in the Windows Domain Name System (DNS) server due to
improper handling of DNS requests. An unauthenticated, remote attacker
can exploit this, via specially crafted DNS requests, to execute
arbitrary code in the context of the Local System Account.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-071");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2012 and 2012 R2.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3227");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/06/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS16-071';
kb  = '3161951';
kbs = make_list(kb, '3164065');

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win8:'0', win81:'0') <= 0)
  audit(AUDIT_OS_SP_NOT_VULN);

# Windows 8/8.1 is not affected
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Windows 8" >< productname)
  exit(0, "The host is running "+productname+" and hence is not affected.");

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"dns.exe", version:"6.3.9600.18340",  min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"dns.exe", version:"6.2.9200.21872", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

The Hacker News

idTHN:FF01F7FCA64A83FA0125892716532D26
last seen2018-01-27
modified2016-06-15
published2016-06-14
reporterSwati Khandelwal
sourcehttps://thehackernews.com/2016/06/microsoft-security-update.html
titleMicrosoft releases tons of Security Updates to patch 44 vulnerabilities

References