News

Microsoft fixed 17-year-old critical vulnerability in Windows DNS Server

In May of this year, Check Point specialists discovered a critical vulnerability in the Windows DNS Server, which received the code name SigRed and the identifier CVE-2020-1350.

Vulnerability got 10 points out of 10 possible on the CVSSv3 vulnerability rating scale. Such a rating means that the error is extremely easy to use, and its operation requires almost no technical knowledge. Also, the vulnerability can be used for automated remote attacks and does not require prior authentication.

Since the vulnerability has existed in the code for 17 years, the problem is dangerous for all versions of Windows Server that were released from 2003 to 2019.

“To exploit the bug, a hacker can send malicious DNS queries to Windows DNS servers, which will entail the execution of arbitrary code and may lead to the compromise of the entire infrastructure”, – write Check Point experts.

The root of the problem is how the Windows DNS server analyzes incoming DNS queries, and how it handles forwarded DNS queries. In particular, sending a response with a SIG of more than 64 KB can provoke a controlled heap buffer overflow, the execution of malicious code, and ultimately allow the hacker to take control of the server.

Since the service has elevated privileges (SYSTEM), if it is compromised, an attacker will gain domain administrator rights. As a result, he will be able to intercept network traffic, disable services, collect user credentials, and so on.

“Worse, in some cases, the vulnerability can also be used through the browser,” — say Check Point researchers.

Currently, some technical details in the Check Point report are omitted at the request of Microsoft to give users extra time to install patches. Since the problem has been present in the code for so many years, experts do not exclude the possibility that attacker has already used it (although there is no direct evidence of this yet – we remember that Microsoft recently hastily patched a 0-day vulnerability that was a popular target for attacks).

Microsoft itself warns that the Windows DNS Server is a key network component, and the vulnerability has the potential of a worm, that is, it can distribute malware between vulnerable devices automatically, without any user intervention.

“One single exploit can trigger a chain reaction, thanks to which attacks will spread from one vulnerable machine to another without human intervention. This means that only one hacked machine can act as a “super-distributor”, which will allow the attack to spread throughout the organization’s network in just a few minutes after the first compromise,“ — says Check Point report.

Yesterday, as part of the July “Patch Tuesday” Microsoft already fixed this problem, and now all users are advised to install the fixes as soon as possible, as analysts are afraid that soon will arrive exploits for this bug.

Also, Microsoft and Check Point experts note that if for some reason the installation of patches is not possible (as was in the case with the Windows 10 2004 release), then you should make a change to the registry and limit the maximum length of the DNS message via TCP to 0xFF00 that would exclude possibility of buffer overflow.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

View Comments

  • […] problem, also known as SigRed, found as part of the Windows DNS Server. The vulnerability was discovered by Check Point specialists and scored 10 points out of 10 on the CVSSv3 vulnerability rating […]

Recent Posts

Remove Kabatibly.co.in pop-up ads (Virus Removal Guide)

Kabatibly.co.in is a domain that tries to force you into clik to its browser notifications…

9 hours ago

Remove Reditarcet.co.in pop-up ads (Virus Removal Guide)

Reditarcet.co.in is a site that tries to force you into subscribing to its browser notifications…

9 hours ago

Remove Everestpeak.top pop-up ads (Virus Removal Guide)

Everestpeak.top is a domain that tries to trick you into subscribing to its browser notifications…

13 hours ago

Remove Firm-jawed.yachts pop-up ads (Virus Removal Guide)

Firm-jawed.yachts is a domain that tries to trick you into subscribing to its browser notifications…

13 hours ago

Remove Anapurnatop.top pop-up ads (Virus Removal Guide)

Anapurnatop.top is a domain that tries to trick you into subscribing to its browser notifications…

13 hours ago

Remove Boomira pop-up ads (Virus Removal Guide)

Boomira.com is a domain that tries to force you into clik to its browser notifications…

14 hours ago