Share this article on:
Microsoft has released a patch to correct a 17-year old wormable remote code execution vulnerability in Windows DNS Server. The flaw can be exploited remotely, requires little skill to exploit, and could allow an attacker to take full control of an organization’s entire IT infrastructure.
The vulnerability, CVE-2020-1350, was discovered by security researchers at Check Point who named the flaw SIGRed. The vulnerability is present on all Windows Server versions from 2003 to 2019 and has been assigned the maximum CVSS v3 score of 10 out of 10. The flaw is wormable, which means an attacker could exploit the vulnerability on all vulnerable servers on the network after an initial attack, with no user interaction required.
The flaw is due to how the Windows Domain Name System servers handle requests and affects all Windows servers that have been configured as DNS servers. The flaw can be exploited remotely by sending a specially crafted request to the Windows DNS Server.
The DNS serves as a phone book for the internet and is used to link an IP address to a domain name, which allows that resource to be located. When a query is sent to the Windows DNS Server, if the query cannot be answered it is forwarded to one of 13 root DNS servers that have the information to answer the query and locate the resource.
The Check Point researchers demonstrated they could change the DNS server to which the query is sent and get the vulnerable Windows DNS server to parse responses from a name server under their control. They then sent a response that allowed them to exploit the vulnerability – sending a DNS response that contained a larger than expected SIG record. By doing so, they were able to trigger a heap-based buffer overflow and gain domain administrator rights over the server, which would allow a full takeover of the organization’s IT infrastructure.
In their demonstration, the researchers demonstrated how a local attack could be performed by convincing a user to click a link in a phishing email. They were also able to replicate the attack remotely by smuggling DNS inside HTTP requests using Microsoft Explorer and Microsoft Edge browsers.
While there are currently no known cases of exploitation of the flaw in the wild, the vulnerability will be attractive for hackers given the number of organizations affected and the severity of the flaw. An attacker would be able to run arbitrary code in the context of the local system account and take full control of the server, then use it as a distribution point to attack all other vulnerable servers and spread malware. Exploitation of the vulnerable is therefore likely so immediate patching is required.
If it is not possible to apply the patch immediately, a workaround is available that will prevent the flaw from being exploited until the patch can be applied. This involves making a change to the registry which will prevent the Windows DNS Server from responding to inbound TCP-based DNS response packets above the maximum allowed size, thus preventing exploitation of the vulnerability.