Researchers have warned organizations to patch their versions of Microsoft Windows Server to protect their networks from a critical worming vulnerability that has existed in system code for 17 years.
Now fixed as part of Microsoft’s July 14 Patch Tuesday security update, the bug, identified as CVE-2020-1350, has been assigned a CVSS severity score of 10.0.
Discovered by Check Point researcher Sagi Tzaik, the bug affects Microsoft Windows DNS, the domain name system service on Windows operating systems and server software.
Dubbed “SigRed”, the cybersecurity team says the vulnerability is of particular importance to the company because it is wormable – or self-propagating – and as such is able to hop through vulnerable machines without no user interaction, potentially compromising an entire organization’s PC network in the process.
See full July ZDNet Patch Tuesday coverage here: Microsoft July 2020 Patch Tuesday fixes 123 vulnerabilities
By exploiting the flaw, “a hacker [can] create malicious DNS queries against Windows DNS servers and perform arbitrary code execution that could lead to the breach of the entire infrastructure,” the team explains.
CVE-2020-1350 affects all versions of Windows Server from 2003 to 2019.
The vulnerability exists due to how the Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled. Specifically, sending a DNS response with a SIG record larger than 64 KB can “cause a heap-based controlled buffer overflow of approximately 64 KB on a small allocated buffer,” the team explains.
“If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, allowing the attacker to take control of the server and allowing them to intercept and manipulate email and network traffic from users, to make the services unavailable, to harvest users. ‘ credentials and more,” says Check Point.
Because the service runs with elevated privileges, if compromised, an attacker is also granted domain administrator rights. In limited scenarios, the vulnerability can be triggered remotely via browser sessions.
CNET: Google targets stalkerware in updated advertising policy
Check Point discussed exploit primitives in the firm’s technical analysis, but at Microsoft’s request withheld certain information to give system administrators time to patch their systems.
The cybersecurity firm disclosed its findings to Microsoft on May 19. After triaging and verifying the issue, the Redmond giant released CVE-2020-1350 on June 18, and on July 9 Microsoft acknowledged the security flaw as worming and assigned the bug a high severity score.
Microsoft has released a patch as of Patch Tuesday.
“This issue results from a flaw in Microsoft’s DNS server role implementation and affects all versions of Windows Server. Non-Microsoft DNS servers are not affected,” Microsoft says.
“Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction,” the company added. “Windows DNS Server is a core networking component. Although this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to resolve this vulnerability as soon as possible.”
Although there is currently no evidence that the vulnerability has been exploited in the wild, the issue has been hidden in Microsoft code for 17 years. As a result, Check Point told us they “cannot rule out” the possibility that it was abused during this time.
TechRepublic: Software-Defined Perimeters Can Be the Solution to Remote Work Security Problems
“We believe the likelihood of this vulnerability being exploited is high, as we have internally sourced all the necessary primitives to exploit this bug,” the company added. “Due to time constraints, we have not pursued exploiting the bug (which includes chaining together all exploit primitives), but we believe a determined attacker will be able to exploit it.”
If a temporary workaround is required, Check Point recommends setting the maximum length of a DNS over TCP message to 0xFF00. Microsoft has also provided a workaround guide.
ZDNet has contacted Microsoft with additional queries and will update when we get back to you.
Update 19.07: A micropatch has been made available by 0patch.
Previous and related coverage
Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0
Comments are closed.