{"id":7810,"date":"2024-08-17T08:00:50","date_gmt":"2024-08-16T23:00:50","guid":{"rendered":"https:\/\/m365jp.net\/?p=7810"},"modified":"2024-08-17T08:15:44","modified_gmt":"2024-08-16T23:15:44","slug":"mc860722-updated-guidance-for-dns-security-hardening-changes-in-cve-2024-37968","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2024-08-17-mc860722-updated-guidance-for-dns-security-hardening-changes-in-cve-2024-37968","title":{"rendered":"MC860722 | (Updated) Guidance for DNS security hardening changes in CVE-2024-37968"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC860722 | (Updated) Guidance for DNS security hardening changes in CVE-2024-37968<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>preventOrFixIssue<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>08\/16\/2024 22:36:14<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>08\/16\/2024 22:36:12<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>08\/16\/2025 22:36:12<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<div>Before the installation of Windows updates that were released on August 13, 2024, Windows Domain Name System (DNS) servers implicitly trusted the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/openspecs\/windows_protocols\/ms-dnsp\/a95b05da-f1fd-4db3-94b4-817fdaa1f642#gt_5aa9e7c0-e2fd-45f3-9edd-076147deba0a\" rel=\"noopener noreferrer\" target=\"_blank\">glue   records<\/a>. These records were used for recursion and to answer queries without first validating Name Server (NS) IP addresses (glue records). This default process will change once you install the updates released on or after August 13, 2024.<\/div>\n<div>  <\/div>\n<div><b>When will this happen:<\/b>&nbsp;<\/div>\n<div>Windows updates released on or after August 13, 2024 contain hardening protections for&nbsp;<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-37968\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2024-37968 | Windows DNS Spoofing Vulnerability<\/a>.   These protections trigger DNS servers to validate glue records returned by a parent domain before first use.&nbsp;<\/div>\n<div>&nbsp;<\/div>\n<div><b>What you need to do to prepare:<\/b>&nbsp;<\/div>\n<div>We recommend taking the following actions:\u200b\u200b\u200b\u200b\u200b\u200b\u200b<\/div>\n<ul>\n<li>Install the Windows update released on or after August 13, 2024.<\/li>\n<li>Make sure glue records registered on a parent domain are valid and match the data that is provided by the authoritative name servers.<\/li>\n<li>Remove or update stale glue records (outdated, inactive, or invalid IP addresses) to prevent DNS client queries from returning unexpected results.<\/li>\n<li>Perform these validation actions for all domains in your environment. We recommend prioritizing validation of the external domains first and then the internal domains in your organization.<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>Additional information:<\/b>&nbsp;<\/div>\n<div>The DNS Server Security hardening changes to address <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-37968\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2024-37968<\/a> affect the following Windows versions:<\/div>\n<ul>\n<li>Windows Server, version 23H2<\/li>\n<li>Windows Server 2022<\/li>\n<li>Windows Server 2019<\/li>\n<li>Windows Server 2016<\/li>\n<li>Windows Server 2012 R2<\/li>\n<li>Windows Server 2012<\/li>\n<li>Windows Server 2008 R2 Service Pack 1<\/li>\n<li>Windows Server 2008 SP2<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td>\n<div>2024 \u5e74 8 \u6708 13 \u65e5\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u524d\u306f\u3001Windows \u30c9\u30e1\u30a4\u30f3 \u30cd\u30fc\u30e0 \u30b7\u30b9\u30c6\u30e0 (DNS) \u30b5\u30fc\u30d0\u30fc\u306f<a href=\"https:\/\/learn.microsoft.com\/openspecs\/windows_protocols\/ms-dnsp\/a95b05da-f1fd-4db3-94b4-817fdaa1f642#gt_5aa9e7c0-e2fd-45f3-9edd-076147deba0a\" rel=\"noopener noreferrer\" target=\"_blank\">\u30b0\u30eb\u30fc   \u30ec\u30b3\u30fc\u30c9<\/a>\u3092\u6697\u9ed9\u7684\u306b&nbsp;\u4fe1\u983c\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u30ec\u30b3\u30fc\u30c9\u306f\u3001\u518d\u5e30\u3084\u3001\u6700\u521d\u306b\u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc (NS) \u306e IP \u30a2\u30c9\u30ec\u30b9 (\u30b0\u30eb\u30fc\u30ec\u30b3\u30fc\u30c9) \u3092\u691c\u8a3c\u305b\u305a\u306b\u30af\u30a8\u30ea\u306b\u5fdc\u7b54\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u306e\u65e2\u5b9a\u306e\u30d7\u30ed\u30bb\u30b9\u306f\u30012024 \u5e74 8 \u6708 13 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3068\u5909\u66f4\u3055\u308c\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u3053\u308c\u306f\u3044\u3064\u884c\u308f\u308c\u307e\u3059\u304b:<\/b>&nbsp;<\/div>\n<div>2024 \u5e74 8 \u6708 13 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u306e\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u306f\u3001CVE-2024-37968 \u306b\u5bfe\u3059\u308b&nbsp;\u5f37\u5316\u4fdd\u8b77\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059  <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-37968\" rel=\"noopener noreferrer\" target=\"_blank\">  |Windows DNS \u306e\u306a\u308a\u3059\u307e\u3057\u306e\u8106\u5f31\u6027<\/a>\u3002\u3053\u308c\u3089\u306e\u4fdd\u8b77\u306b\u3088\u308a\u3001DNS \u30b5\u30fc\u30d0\u30fc\u306f\u3001\u89aa\u30c9\u30e1\u30a4\u30f3\u304b\u3089\u8fd4\u3055\u308c\u305f\u30b0\u30eb\u30fc \u30ec\u30b3\u30fc\u30c9\u3092\u6700\u521d\u306b\u4f7f\u7528\u3059\u308b\u524d\u306b\u691c\u8a3c\u3057\u307e\u3059\u3002&nbsp;<\/div>\n<div>&nbsp;<\/div>\n<div><b>\u6e96\u5099\u3059\u308b\u305f\u3081\u306b\u5fc5\u8981\u306a\u3053\u3068:<\/b>&nbsp;<\/div>\n<div>\u6b21\u306e\u30a2\u30af\u30b7\u30e7\u30f3\u3092\u5b9f\u884c\u3059\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/???????<>  <\/p>\n<ul>\n<li>2024 \u5e74 8 \u6708 13 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002<\/li>\n<li>\u89aa\u30c9\u30e1\u30a4\u30f3\u306b\u767b\u9332\u3055\u308c\u3066\u3044\u308b\u30b0\u30eb\u30fc \u30ec\u30b3\u30fc\u30c9\u304c\u6709\u52b9\u3067\u3042\u308a\u3001\u6a29\u9650\u306e\u3042\u308b\u30cd\u30fc\u30e0 \u30b5\u30fc\u30d0\u30fc\u306b\u3088\u3063\u3066\u63d0\u4f9b\u3055\u308c\u308b\u30c7\u30fc\u30bf\u3068\u4e00\u81f4\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/li>\n<li>\u53e4\u3044\u30b0\u30eb\u30fc\u30ec\u30b3\u30fc\u30c9 (\u53e4\u3044\u3001\u975e\u30a2\u30af\u30c6\u30a3\u30d6\u306a\u3001\u307e\u305f\u306f\u7121\u52b9\u306a IP \u30a2\u30c9\u30ec\u30b9) \u3092\u524a\u9664\u307e\u305f\u306f\u66f4\u65b0\u3057\u3066\u3001DNS \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u30af\u30a8\u30ea\u304c\u4e88\u671f\u3057\u306a\u3044\u7d50\u679c\u3092\u8fd4\u3055\u306a\u3044\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/li>\n<li>\u3053\u308c\u3089\u306e\u691c\u8a3c\u30a2\u30af\u30b7\u30e7\u30f3\u306f\u3001\u74b0\u5883\u5185\u306e\u3059\u3079\u3066\u306e\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002\u6700\u521d\u306b\u5916\u90e8\u30c9\u30e1\u30a4\u30f3\u306e\u691c\u8a3c\u3092\u512a\u5148\u3057\u3001\u6b21\u306b\u7d44\u7e54\u5185\u306e\u5185\u90e8\u30c9\u30e1\u30a4\u30f3\u306e\u691c\u8a3c\u3092\u512a\u5148\u3059\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>\u8ffd\u52a0\u60c5\u5831:<\/b>&nbsp;<\/div>\n<div><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-37968\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2024-37968<\/a> \u306b\u5bfe\u51e6\u3059\u308b\u305f\u3081\u306e DNS \u30b5\u30fc\u30d0\u30fc \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u306e\u5909\u66f4\u306f\u3001\u6b21\u306e Windows \u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u5f71\u97ff\u3057\u307e\u3059\u3002<\/div>\n<ul>\n<li>Windows Server \u30d0\u30fc\u30b8\u30e7\u30f3 23H2<\/li>\n<li>Windows Server 2022 \u306e\u5834\u5408<\/li>\n<li>Windows Server 2019 \u306e\u5834\u5408<\/li>\n<li>Windows Server 2016 \u306e\u5834\u5408<\/li>\n<li>Windows Server 2012 R2<\/li>\n<li>Windows Server 2012 \u306e\u5834\u5408<\/li>\n<li>Windows Server 2008 R2 Service Pack 1 (\u82f1\u8a9e)<\/li>\n<li>Windows Server 2008 SP2<\/li>\n<\/ul><\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC860722 | (Updated) Guidance for DNS security hardening changes in CVE-2024-37968 Classification preventOrFix [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7810","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/7810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=7810"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/7810\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=7810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=7810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=7810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}