Background
On June 12, Microsoft released its monthly patches, including several relating to critical vulnerabilities. The most concerning patch relates to a remote code execution vulnerability in the DNSAPI dynamic link library which has been assigned the identifier CVE-2018-8225. The DNSAPI is used for Domain Name System resolution and is a required component for a Windows-based machine to communicate over a computer network.
Impact
This vulnerability allows an attacker to remotely execute code in the context of the local system account (NT Authority\SYSTEM) by forcing the target system to make a DNS query to a malicious DNS server. The responsive DNS query is then relayed to the originally intended target DNS system and the vulnerability is exploited. DNS queries are one of the most common network activities performed, and an attacker may have several ways to trick a machine into initiating such a malicious DNS query.
Platforms affected
- All versions of Windows 7
- All versions of Windows 8
- All versions of Windows 10
- All versions of Windows Server 2008
- All versions of Windows Server 2012
- All versions of Windows Server 2016
Local observations
No known exploits exist in the wild at time of publishing this article; as such, the UISO has not observed local attacks exploiting this vulnerability. Given the ease at which this vulnerability could be exploited and the impact upon exploitation, a concern exists that this threat could easily be adapted into a wormable exploit. This outcome would likely result in exploitation that could occur at a rapid pace.
UISO recommendations
IT Professionals and those responsible for administering Windows-based systems should immediately install the June Cumulative Security Update and restart affected machines as soon as possible.
Workarounds
There are no known workarounds short of disabling network interfaces on a vulnerable system.