17-Year Old Critical Wormable DNS Bug Patched by Microsoft

Microsoft has released a patch for a critical, wormable flaw in Microsoft’s Windows DNS Server that dates back to 2003. The vulnerability, tracked as CVE-2020-1350, was identified by security researchers at Check Point who named it SIGRed. Virtually all businesses will be running DNS with Active Directory and will be affected. Given the number of businesses affected, the ease of exploitation, and how the flaw could be exploited to take full control of IT infrastructures, exploits are likely to be developed quickly. Immediate patching is therefore essential.

The remote code execution vulnerability in the DNS module, dns.exe, which is used to answer DNS queries on Windows Servers. The flaw concerns how the DNS server parses an incoming query and how the DNS server parses a response for a forwarded query.

To exploit the flaw the Check Point researchers first had to make the targeted Windows DNS Server parse responses from their machine, then they exploited the flaw by replying to one of its queries. They did this by sending a DNS response containing a large SIG record – larger than 64KB – which caused a controlled heap-based buffer overload of around 64KB over a small allocated buffer.

“[The] security flaw would enable a hacker to craft malicious DNS queries to the Windows DNS server, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure,” said Check Point researcher Sagi Tzaik.

Exploitation of the flaw would allow a remote attacker to gain Domain Administrator rights over the server, and by doing so, could harvest user credentials, intercept and manipulate emails and network traffic, conduct a Denial of Service attack, and take full control of the server. The flaw affects all Windows Server versions from 2003.

The bug is wormable, which means an exploit could be developed that could propagate without any user interaction to all vulnerable machines on the network. The flaw has been given the maximum CVSS v3 severity rating of 10 out of 10.

Exploits for the flaw are not believed to have been used in the wild, but the flaw will be exploited. It is therefore essential to apply the patch as soon as possible.

If it is not possible to apply the patch immediately, Microsoft has suggested a workaround that involves modifying the registry and restarting the DNS service.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

DWORD = TcpReceivePacketSize

Value = 0xFF00

Once the patch is applied the registry should be reverted to its original state. This workaround restricts the size of the largest inbound TCP-based DNS response packet. After applying the workaround, the Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news