CVE-2020-1350 Remediation Script

Invoke-RemediateCVE20201350.ps1

<#
.SYNOPSIS
    Remediate CVE-2020-1350 on Windows Server
.DESCRIPTION
    Remediate the Windows Server DNS Server vulnerability for CVE-2020-1350 if the security update hasn't been applied to the server yet.
.PARAMETER RevertToDefault
    Revert the changes back to default.
.PARAMETER DoNotRestartDnsService
    Don't restart the DNS server service during script execution.
.NOTES
    For more info on CVE-2020-1350:
    * MSRC Blog Post - https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
    * CVE-2020-1350 MSRC Advisory Page - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
    * Microsoft Support KB4569509 Article - https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability
#>
[CmdletBinding(SupportsShouldProcess)]
param(
    [Parameter(Position = 0)]
    [switch]$RevertToDefault,
    [Parameter(Position = 1)]
    [switch]$DoNotRestartDnsService
)

begin {
    $dnsRegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters" #Path to the registry key for the DNS Server service

    $dnsRegDefaultSplat = @{
        "Path" = $dnsRegPath;
        "Name" = "TcpReceivePacketSize";
    } #Splat of the parameters to use for New-ItemProperty/Set-ItemProperty/Get-ItemProperty cmdlets.
}

process {
    switch ($RevertToDefault) {
        $true {
            #If reverting back to default, change the value of 'TcpReceivePacketSize' to 0xFFFF (65,535 bytes)
            Write-Verbose "Setting script to revert mitigations for CVE-2020-1350."
            $dnsRegSplat = @{
                "Value"        = 0xFFFF;
            }
            break
        }

        Default {
            #If remediating CVE-2020-1350 without the patch installed yet, change the value of 'TcpReceivePacketSize' to 0xFF00 (65,280 bytes)
            Write-Verbose "Setting script to apply mitigations for CVE-2020-1350."
            $dnsRegSplat = @{
                "Value"        = 0xFF00;
            }
            break
        }
    }

    #Change the property 'TcpReceivePacketSize' at key path 'HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters'
    if ($PSCmdlet.ShouldProcess("DNS Service", "Set property '$($dnsRegDefaultSplat['Name'])' to '$($dnsRegSplat['Value'])'")) {
        try {
            #Try to create the registry key property
            $null = New-ItemProperty @dnsRegDefaultSplat @dnsRegSplat -PropertyType "DWORD" -ErrorAction "Stop"
        }
        catch {
            #If the registry key property already exists, then just set the property to it's new value.
            $null = Set-ItemProperty @dnsRegDefaultSplat @dnsRegSplat -ErrorAction "Stop"
        }
    }

    #Restart the DNS Server service
    switch ($DoNotRestartDnsService) {
        $true {
            #If '-DoNotRestartDnsService' was supplied, then write a warning to the console.
            Write-Warning "DNS Server Service is not being restarted. Service needs to be restarted before changes are applied."
            break
        }

        Default {
            #Otherwise, restart the service.
            if ($PSCmdlet.ShouldProcess("DNS Server", "Restart service")) {
                Restart-Service -Name "DNS" -Force -ErrorAction "Stop"
            }
            break
        }
    }

    #Get the registry key property's current value after the change and return it to the console output.
    if ($PSCmdlet.ShouldProcess($dnsRegDefaultSplat['Path'], "Get property '$($dnsRegDefaultSplat['Name'])'")) {
        $currentDnsRegProp = Get-ItemProperty @dnsRegDefaultSplat -ErrorAction "Stop"
        return $currentDnsRegProp
    }
}