All versions of Windows Server from 2003 to 2019 are vulnerable to a newly identified vulnerability, dubbed SigRed, in Windows DNS, the domain name system service provided by Microsoft in Windows operating systems.
Uncovered by Check Point researcher Sagi Tzaik and first reported to Microsoft by Check Point through a disclosure programme on 19 May 2020, the CVE-2020-1350 vulnerability is being patched in July’s Patch Tuesday update from Microsoft. It has been assigned a CVSS score of 10, the highest possible.
The SigRed vulnerability exists in the way the Windows DNS server parses an incoming DNS query, and how it parses a response to a forwarded DNS query. If an attacker can successfully trigger it with a malicious DNS query, they can trigger a heap-based buffer overflow, which will in turn let them take control of the server and feign domain administrator rights. This makes it possible for them to intercept and manipulate email and network traffic, compromise services and harvest credentials, among other things.
Critically, SigRed is wormable, meaning that a single exploit can cause a chain reaction, allowing attacks to spread through a network without any action on the part of the user – in effect one single compromised machine becomes a super-spreader.
“A DNS server breach is a critical issue. Most of the time, it puts the attacker just one inch away from breaching the entire organisation. There are only a handful of these vulnerability types ever released. Every organisation, big or small, using Microsoft infrastructure is at major security risk if this flaw is left unpatched,” said Omri Herscovici, leader of Check Point’s vulnerability research team.
“The risk would be a complete breach of the entire corporate network. This vulnerability has been in Microsoft code for more than 17 years, so if we found it, it is not impossible to assume that someone else already found it as well.”
Omri Herscovici, Check Point
Check Point is strongly advising Windows users to patch their affected servers as soon as possible – as previously noted, a fix is being made available today (14 July) as part of the latest Patch Tuesday update.
Herscovici said the likelihood of SigRed being exploited at some point in the next week was very high, as his team had been able to find all of the primitives required to take advantage of it, suggesting it would be easy for a determined hacker to do the same.
“Furthermore, our findings show us all that no matter how secure we think we are, there are always more security issues out there waiting to be discovered. We’re calling the vulnerability SigRed, and we believe it should be top priority for remedying. This isn’t just another vulnerability – patch now to stop the next cyber pandemic,” he said.
Besides applying the patch immediately, Check Point detailed a workaround to block the attack, which goes thus: In “CMD” type: reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS.