The bug has been deemed “wormable,” which means a single exploit could spread from one unpatched server to another.
Organizations running Windows Server for DNS resolution are being urged to apply a patch released as part of Microsoft’s July Patch Tuesday rollout. The patch resolves a DNS bug that’s been around for 17 years but has been identified by Microsoft as critical following its recent discovery by cyber threat intelligence provider Check Point Research.
SEE: Hiring kit: Network administrator (TechRepublic Premium)
Listed on a Microsoft Security Advisory page, the flaw known as “CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability,” points to a problem with Microsoft’s implementation of DNS that can result in a server improperly handling domain name resolution requests. Hackers able to exploit the vulnerability could create and send malicious DNS queries to the Windows DNS server, allowing them to gain Domain Administrator rights and take control of an entire network.
In its advisory, Microsoft didn’t report any real-world instances of the flaw being exploited. But the company gave the vulnerability the highest security risk score possible (CVSS 10.0). Further, both Microsoft and Check Point labeled the flaw wormable, meaning it could spread via malware between vulnerable servers without any user interaction unless the patch (or a workaround) is applied on each affected machine.
“A wormable vulnerability like this is an attacker’s dream,” said Chris Hass, former NSA security analyst and current director of information security and research for Automox. “An unauthenticated hacker could send specially crafted packets to the vulnerable Windows DNS Server to exploit the machine, allowing for arbitrary code to be run in the context of the Local System account. This wormable capability adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as Wannacry and NotPetya.”
Patches are available for the past several affected versions of Windows Server, including 2008, 2012, 2012 R2, 2016, and 2019, according to Microsoft’s advisory. However, Check Point says that Server 2003 also is affected. Microsoft no longer officially supports Windows Server 2003 or 2008. Affected servers include those with both a traditional GUI installation and a Server Core installation. The vulnerability is limited to Microsoft’s Windows DNS Server implementation, so Windows DNS clients are not affected.
Microsoft advises all organizations to install the patch as soon as possible. If the patch cannot be applied quickly enough, then administrators are urged to implement the following workaround:
- In the Registry, move to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.
- Add the following value: DWORD = TcpReceivePacketSize and set the value data to 0xFF00.
- You’ll then need to restart the machine’s DNS service.
- For more details, refer to Microsoft’s support page on “Guidance for DNS Server Vulnerability CVE-2020-1350.”
- After you apply the actual patch, remove the TcpReceivePacketSize and its corresponding data so that everything else under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters remains as before.
Though no real-world exploit may yet exist, cybercriminals will be anxious to take advantage of the flaw now that it’s become public knowledge.
“We expect to see exploits for this particular vulnerability emerge in the next week—potentially faster, and that it will be widely exploited,” Johnathan Cran, head of research at Kenna Security, said. “The vulnerability only requires that the server make a request to another malicious server, so this will affect most organizations running Microsoft’s DNS server. In short, patch this high risk vulnerability now.”
In a blog post published Tuesday, Check Point described in detail how the bug works. Dubbing the flaw SIGRed, the firm also said it believes there’s a high chance of this vulnerability being exploited.
“A DNS server breach is a very serious thing,” said Omri Herscovici, Check Point’s vulnerability research team leader. “Most of the time, it puts the attacker just one inch away from breaching the entire organization. Every organization, big or small, using Microsoft infrastructure is at major security risk if left unpatched. The risk would be a complete breach of the entire corporate network. This vulnerability has been in Microsoft code for more than 17 years; so if we found it, it is not impossible to assume that someone else already found it as well.”