Researchers disclose a 17-year-old wormable flaw in Windows DNS servers. Organizations are strongly encouraged to apply patches as soon as possible.
Background
On July 14, Microsoft patched a critical vulnerability in Windows Domain Name System (DNS) Server as part of Patch Tuesday for July 2020. The vulnerability was disclosed to Microsoft by Sagi Tzadik and Eyal Itkin, researchers at Check Point Research, who dubbed this vulnerability “SIGRed.” According to the researchers, the vulnerability has persisted in Windows DNS Server for 17 years. Microsoft has published its own blog post about the flaw, warning that they consider it wormable.
Analysis
CVE-2020-1350 is a critical remote code execution (RCE) vulnerability in Windows DNS servers due to the improper handling of DNS requests. It was assigned a CVSSv3 score of 10.0, the highest possible score. To exploit this vulnerability, an attacker would send a malicious request to a vulnerable Windows DNS server. Successful exploitation would grant the attacker arbitrary code execution privileges under the Local System Account context. Microsoft warns that systems at risk include “Windows servers” that have been “configured as DNS servers.”
Second major wormable flaw patched this year
In March of this year, Microsoft released patches for CVE-2020-0796, a wormable RCE vulnerability in Microsoft Server Message Block 3.1.1, known as EternalDarkness or SMBGhost. While we have yet to see SMBGhost used in a wormable fashion, SIGRed marks the second wormable Microsoft vulnerability patched this year.
SIGRed can be triggered via the browser
Researchers at Check Point found that they could remotely trigger the vulnerability through a web browser. This is achieved by “smuggling” a DNS query in an HTTP request as part of the POST data. However, this vulnerability can only be exploited through browsers that accept HTTP requests over the standard DNS port (53), which include Internet Explorer and Microsoft Edge versions that are not using Chromium.
As part of a demonstration, Check Point Researchers show how they could trigger the vulnerability by sending a link to a user in an email, which when opened would smuggle the DNS query inside of the HTTP request.
Proof of concept
At the time this blog post was published, there was no working proof-of-concept (PoC) code available for this vulnerability. However, we have seen at least one fake PoC that "Rickrolls" users. In the past, we’ve also observed some malicious scripts that masquerade as PoCs being published to GitHub. We strongly advise caution when dealing with alleged PoCs. However, we anticipate that it won’t be long before researchers and attackers have developed their own working PoCs.
Solution
Microsoft has released patches to address SIGRed across a variety of Windows Server releases. Despite Windows Server 2008 reaching end of life in January 2020, Microsoft has published security patches to prevent unsupported systems from being compromised by a potential worm.
Tenable strongly encourages organizations to apply these patches as soon as possible.
| Article | Products | KB |
|---|---|---|
| 4565536 | Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core) | KB4565536 |
| 4565529 | Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core) | KB4565529 |
| 4565524 | Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core) | KB4565524 |
| 4565539 | Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core) | KB4565539 |
| 4565537 | Windows Server 2012 Windows Server 2012 (Server Core) | KB4565537 |
| 4565535 | Windows Server 2012 Windows Server 2012 (Server Core) | KB4565535 |
| 4565541 | Windows Server 2012 R2 Windows Server 2012 R2 (Server Core) | KB4565541 |
| 4565540 | Windows Server 2012 R2 Windows Server 2012 R2 (Server Core) | KB4565540 |
| 4565511 | Windows Server 2016 Windows Server 2016 (Server Core) | KB4565511 |
| 4558998 | Windows Server 2019 Windows Server 2019 (Server Core) | KB4558998 |
| 4565483 | Windows Server, version 1903 (Server Core) Windows Server, version 1909 (Server Core) | KB4565483 |
| 4565503 | Windows Server, version 2004 (Server Core) | KB4565503 |
If applying these patches is not currently feasible, Microsoft provided a workaround via a Windows registry modification:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00
In order for these changes to take effect, the DNS Service must be restarted.
Microsoft recommends removing the workaround after patches have been applied.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.