This patch has a significant risk of being exploited, and if an attacker successfully exploited the vulnerability, they could run arbitrary code in the context of the Local System Account. As most organizations install the DNS Server role on their Domain Controller, the attacker would gain full control of a Domain Controller. Once the attacker has full control of the domain controller, lateral movement to any Domain joined system is possible.
There are no known uses in the wild of this. It is highly recommended you patch all windows DNS servers (internal and external) that you may own as soon as possible.
WHAT YOU NEED TO DO
In order to secure your environment as soon as possible, you should complete the following steps as soon as possible.
- IDENTIFY - ALL WINDOWS DNS servers in your environment – both internal and external. – You can use PowerShell to help
- TEST – The applicable monthly servicing stack, and cumulative update for the server operating system.
- DEPLOY – The applicable patch to all DNS servers in your environment as soon as possible.