Microsoft Releases Patch to Correct Critical Wormable Windows DNS Server Vulnerability

Microsoft has introduced a patch to resolve a 17-year old wormable remote code execution vulnerability identified in Windows DNS Server. The vulnerability can be exploited remotely, demand a low-level skill to exploit, and could permit an attacker to seize full control of the entire IT infrastructure of a company.

Security researchers at Check Point discovered vulnerability CVE-2020-1350 and named it SIGRed. The vulnerability can be found on all Windows Server versions starting from 2003 until 2019 and was designated the maximum CVSS v3 score of 10 out of 10. The flaw is wormable, thus an attacker could exploit the vulnerability upon the initial attack of vulnerable servers on the network, even without user interaction.

The vulnerability is caused by the way Windows Domain Name System servers manage requests and impacts all Windows servers that were set up to function as DNS servers. The vulnerability could be exploited remotely by means of sending a particularly made request to the Windows DNS Server.

The DNS works like a phone book for the internet and is utilized to associate an IP address to a domain name, which enables finding the location of a resource. When a request is sent to the Windows DNS Server, when the query cannot be responded to it is submitted to one of 13 root DNS servers that have the data to reply to the query and find the resource.

The Check Point researchers showed they could modify the DNS server to which the query is transmitted and obtain the vulnerable Windows DNS server to parse replies from a name server under their management. They then give an answer that permitted them to exploit the vulnerability – giving a DNS reply that included a greater than estimated SIG record. In so doing, they can bring about a heap-based buffer overflow and get domain administrator rights over the server, which would permit a full takeover of the IT infrastructure of the organization.

In their demonstration, the researchers showed how a local attack could be done by persuading a user to visit a hyperlink in a phishing email. They also had replicated the attack remotely by smuggling DNS inside HTTP requests utilizing Microsoft Explorer and Microsoft Edge browsers.

Though there are presently no recognized instances of exploitation of the vulnerability in the wild, the vulnerability is going to become enticing for hackers considering the number of companies affected and the degree of vulnerability. An attacker could run arbitrary code in the context of the local system account and get complete command of the server, then utilize it as a distribution point to attack all other vulnerable servers and propagate malware. The exploitation of the vulnerability is likely therefore quick patching is needed.

If it isn’t possible to use the patch right away, there is a workaround that could avert the exploitation of the vulnerability until the patch can be employed. This requires making a modification to the registry which will stop the Windows DNS Server from responding to inbound TCP-based DNS response packets beyond the maximum allowable size, therefore stopping the exploitation of the vulnerability.