In May of this year, the company's specialists Check pointdiscovered a critical vulnerability in the Windows DNS Server that received the code name SigRed and identifier CVE-2020-1350. Vulnerability got 10 points out of 10 possible on the CVSSv3 vulnerability rating scale. Such a rating means that the error is extremely easy to use, and its operation requires almost no technical knowledge. Also, the vulnerability can be used for automated remote attacks and does not require prior authentication.
Since the vulnerability existed in the code for 17 years, the problem is dangerous for all versions of Windows Server that were released from 2003 to 2019.
Check Point experts write that in order to exploit the bug, a hacker can send malicious DNS queries to Windows DNS servers, which will entail the execution of arbitrary code and may lead to a compromise of the entire infrastructure.
The root of the problem is how the Windows DNS server analyzes incoming DNS queries, and how it handles forwarded DNS queries. In particular, sending a response with a SIG of more than 64 KB can provoke a controlled heap buffer overflow, the execution of malicious code, and ultimately allow the hacker to take control of the server.
Since the service has elevated privileges (SYSTEM), if it is compromised, the attacker will gain domain administrator rights. As a result, he will be able to intercept network traffic, disable services, collect user credentials, and so on. Even worse, it is reported that in some cases, the vulnerability can be used through the browser.
Currently, some technical details in the Check Point report are omitted at the request of Microsoft to give users extra time to install patches. Since the problem has been present in the code for so many years, experts do not exclude the likelihood that it was already used by attackers (although so far there is no clear evidence of this).
Microsoft itself warns that the Windows DNS Server is a key network component, and the vulnerability has the potential of a worm, that is, it can distribute malware between vulnerable devices automatically, without any user intervention.
“One single exploit can trigger a chain reaction, thanks to which attacks will spread from one vulnerable machine to another without human intervention. This means that only one hacked machine can act as a “super-distributor,” which will allow the attack to spread throughout the organization’s network in just a few minutes after the first compromise, ”the Check Point report says.
Yesterday, as part of the July "Tuesday of updates," Microsoft already fixed this problem, and now all users are advised to install the fixes as soon as possible, as analysts fear the exploits will soon appear for this bug. Also Microsoft and Check Point celebratethat if for some reason the installation of patches is not possible, you should make a change to the registry and limit the maximum length of the DNS message via TCP to 0xFF00 in order to eliminate the possibility of buffer overflows.