CVE-2016-3227

Vulnerability

A use-after-free vulnerability exists in the Windows DNS Server component of Microsoft Windows Server 2012 Gold and Windows Server 2012 R2 (including Server Core installations). The flaw is triggered when the affected DNS server processes specially crafted requests, leading to memory corruption. No authentication or special configuration is required to reach the vulnerable code path; any sender that can deliver a DNS query to the server can potentially exploit the bug. Versions prior to the June 2016 security update (MS16-071) are vulnerable [1].

Exploitation

An attacker can exploit this vulnerability by sending a series of specially crafted DNS requests to a target DNS server from a remote network position. The attacker does not need any prior authentication or user interaction. The crafted requests trigger a use-after-free condition in the DNS server's memory management, allowing the attacker to control program execution flow [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code in the context of the DNS Server process. This typically runs under a high-privilege account (SYSTEM or NETWORK SERVICE), giving the attacker full control over the affected server. The attacker could then install programs, view/change/delete data, or launch additional attacks against internal network resources [1].

Mitigation

Microsoft released security update MS16-071 (KB3161951) on June 14, 2016, which addresses the vulnerability by correcting how the DNS server handles requests. All affected versions of Windows Server 2012 and Windows Server 2012 R2 are patched by applying this update. No workarounds other than applying the update have been provided. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing [1].