Microsoft has issued a patch to fix a 17-year old wormable remote code execution vulnerability found in Windows DNS Server. The vulnerability may be taken advantage of remotely, call for a minimal skill to exploit, and can enable an attacker to get complete control of the complete IT infrastructure of an organization.
Security researchers at Check Point uncovered vulnerability CVE-2020-1350 and called it SIGRed. The vulnerability can be seen on Windows Server versions beginning 2003 up to 2019 and was given the highest CVSS v3 rating of 10 . The vulnerability is wormable, hence an attacker can exploit the vulnerability after a preliminary attack of insecure servers connected to the network, even with no user interaction.
The vulnerability is a result of the manner Windows Domain Name System servers deal with requests and has an effect on all Windows servers that were tweaked to work as DNS servers. The vulnerability may be exploited via the network through transmitting a uniquely created request to the Windows DNS Server.
The DNS functions like an internet phone book and is employed to connect an IP address to a domain, which permits locating a resource. If an inquiry is routed to the Windows DNS Server, in case the query can’t be addressed it is sent to any of 13 root DNS servers which have the details to respond to the request and uncover the resource.
The Check Point researchers confirmed they can alter the DNS server to which the request is routed and acquire the insecure Windows DNS server to parse answers from a name server under their command. They then provide a reply that granted them to take advantage of the vulnerability – providing a DNS answer that comprised a bigger than envisioned SIG record. In that way, they could cause a heap-based buffer overflow and obtain domain admin rights through the server that would enable a complete takeover of the IT infrastructure of the company.
In their demo, the researchers exhibited how a local attack can be carried out by prodding a user to click on a URL in a phishing email. They likewise had duplicated the attack remotely by smuggling DNS inside HTTP requests employing Microsoft Edge browsers and Microsoft Explorer.
Although there are right now no identified incidents of vulnerability exploitation in the wild, the vulnerability will become appealing for hackers granted the number of businesses impacted and the seriousness of the vulnerability. An attacker can execute arbitrary code within the framework of the local system account and have total management of the server, then employ it as a distribution point to strike all other insecure servers and pass on malware. The exploitation of the vulnerability is probable and so fast patching is necessary.
If it’s not workable to implement the patch promptly, there is a workaround that can reduce the exploitation of the vulnerability until eventually the patch could be implemented. This entails making an adjustment to the registry which is going to hinder the Windows DNS Server from responding to incoming TCP-based DNS response packets over the maximum permitted size, hence eliminating vulnerability exploitation.