In May of this year, Check Point specialists discovered a critical vulnerability in the Windows DNS Server, which received the code name SigRed and the identifier CVE-2020-1350.Vulnerability got 10 points out of 10 possible on the CVSSv3 vulnerability rating scale. Such a rating means that the error is extremely easy to use, and its operation requires almost no technical knowledge. Also, the vulnerability can be used for automated remote attacks and does not require prior authentication.
Since the vulnerability has existed in the code for 17 years, the problem is dangerous for all versions of Windows Server that were released from 2003 to 2019.
“To exploit the bug, a hacker can send malicious DNS queries to Windows DNS servers, which will entail the execution of arbitrary code and may lead to the compromise of the entire infrastructure”, – write Check Point experts.
The root of the problem is how the Windows DNS server analyzes incoming DNS queries, and how it handles forwarded DNS queries. In particular, sending a response with a SIG of more than 64 KB can provoke a controlled heap buffer overflow, the execution of malicious code, and ultimately allow the hacker to take control of the server.
Since the service has elevated privileges (SYSTEM), if it is compromised, an attacker will gain domain administrator rights. As a result, he will be able to intercept network traffic, disable services, collect user credentials, and so on.
“Worse, in some cases, the vulnerability can also be used through the browser,” — say Check Point researchers.
Currently, some technical details in the Check Point report are omitted at the request of Microsoft to give users extra time to install patches. Since the problem has been present in the code for so many years, experts do not exclude the possibility that attacker has already used it (although there is no direct evidence of this yet – we remember that Microsoft recently hastily patched a 0-day vulnerability that was a popular target for attacks).
Microsoft itself warns that the Windows DNS Server is a key network component, and the vulnerability has the potential of a worm, that is, it can distribute malware between vulnerable devices automatically, without any user intervention.
“One single exploit can trigger a chain reaction, thanks to which attacks will spread from one vulnerable machine to another without human intervention. This means that only one hacked machine can act as a “super-distributor”, which will allow the attack to spread throughout the organization’s network in just a few minutes after the first compromise,“ — says Check Point report.
Yesterday, as part of the July “Patch Tuesday” Microsoft already fixed this problem, and now all users are advised to install the fixes as soon as possible, as analysts are afraid that soon will arrive exploits for this bug.
Also, Microsoft and Check Point experts note that if for some reason the installation of patches is not possible (as was in the case with the Windows 10 2004 release), then you should make a change to the registry and limit the maximum length of the DNS message via TCP to 0xFF00 that would exclude possibility of buffer overflow.
User Review( votes)