cbcvebase.
CVE-2021-26897
published 2021-03-11

CVE-2021-26897: Windows DNS Server Remote Code Execution Vulnerability

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
13.91%
96.1th percentile
Windows DNS Server Remote Code Execution Vulnerability

Affected

25 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2008
microsoftwindows_server_2008_r2_service_pack_1>= 6.0.0 < publicationpublication
microsoftwindows_server_2008_r2_service_pack_1>= 6.1.0 < publicationpublication
microsoftwindows_server_2008_service_pack_2>= 6.0.0 < publicationpublication
microsoftwindows_server_2012
microsoftwindows_server_2012>= 6.2.0 < publicationpublication
microsoftwindows_server_2012_r2>= 6.3.0 < publicationpublication
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2016>= 10.0.0 < publicationpublication
microsoftwindows_server_2019>= 10.0.0 < publicationpublication
microsoftwindows_server_version_2004>= 10.0.0 < publicationpublication
microsoftwindows_server_version_20h2>= 10.0.0 < publicationpublication
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019
msrcwindows_server_version_1909
msrcwindows_server_version_2004
msrcwindows_server_version_20h2

Detection & IOCsextracted from sources · hover to see the quote

port53/tcp
snort
alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26897)"; dsize:>1300; content:"|29 00|"; offset:2; depth:2; threshold:type limit, count 45, seconds 90, track by_src; reference:cve,2021-26897; classtype:attempted-admin; sid:2032348; rev:1; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26897, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_30;)
bytes
|29 00| at offset 2, depth 2, in TCP packets to port 53 with dsize >1300
  • Trigger on TCP packets to DNS servers (port 53) with packet size greater than 1300 bytes containing the byte sequence 0x29 0x00 at offset 2 — characteristic of CVE-2021-26897 exploit attempts. Rate-limit alerting to 45 events per 90 seconds per source IP to reduce noise.
  • The vulnerability is only exploitable on servers with dynamic DNS updates enabled. Prioritize monitoring/patching DNS servers where dynamic updates are active.
  • ·Secure Zone Updates is only a partial mitigation and does not fully prevent exploitation of CVE-2021-26897.
  • ·Servers not configured as DNS servers are not vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.