Microsoft fixes critical wormable RCE SigRed in Windows DNS servers

Pierluigi Paganini July 14, 2020

Microsoft’s Patch Tuesday security updates for July 2020 addressed a 17-year-old wormable vulnerability for hijacking Microsoft Windows Server dubbed SigRed

Microsoft’s Patch Tuesday addressed a 17-year-old wormable vulnerability for hijacking Microsoft Windows Server tracked CVE-2020-1350 and dubbed SigRed.

The issue received a severity rating of 10.0 on the CVSS scale and affects Windows Server versions 2003 to 2019.

The SigRed flaw was discovered by Check Point researcher Sagi Tzaik and impacts Microsoft Windows DNS.

The vulnerability could be exploited by an unauthenticated, remote attacker to gain domain administrator privileges over targeted servers and take full control of an organization’s IT infrastructure.

An attacker could exploit the SigRed vulnerability by sending specially-crafted malicious DNS queries to a Windows DNS server.

“SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.” reads the analysis published by CheckPoint.

An attacker could exploit the issue to remotely execute arbitrary code, intercept and manipulate network traffic and steal sensitive data.

The flaw resides in how Windows DNS server handles an incoming DNS query, as well as how forwarded DNS queries are parsed.

The researchers discovered that by sending a DNS response that contains a SIG record larger than 64KB it is possible to trigger a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.

Experts pointed out that as the service runs in elevated privileges, once the attacker will compromise it, he will be granted Domain Administrator rights.

Check Point shared its findings with Microsoft on May 19 that assigned the flaw the CVE-2020-1350 on June 18.

“Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected.” reads the advisory published by Microsoft.

“Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.”

Microsoft is not aware of attacks in the wild exploiting the issue, it confirmed that the issue remained hidden for 17 years.

As a temporary workaround to mitigate the risk of exploitation of the SigRed flaw, Check Point recommends setting the maximum length of a DNS message over TCP to 0xFF00.

Microsoft has also provided a workaround to mitigate the issue.

“We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug,” CheckPoint researchers concluded. “Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SigRed)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment