A critical 17-year-old wormable vulnerability was found in Microsoft Windows Server which has been resolved now in the Microsoft’s Patch Tuesday security update.
The bug dubbed SigRed has been tracked as CVE-2020-1350 and was given a CVSS severity score of 10.0. Check Point researcher Sagi Tzaik discovered the bug which relates to Microsoft Windows DNS, the domain name system service on Windows operating systems, and Server software.
According to the researchers, the vulnerability is of great importance to the enterprise as it is wormable — or self-propagating. So, it can move across vulnerable machines without the interaction of any user, thereby compromising an entire organization’s network of PCs in the process.
On successful exploitation an attacker can insert malicious DNS queries to Windows DNS servers, and achieve arbitrary code execution that can breach the entire infrastructure.
The flaw affects all Windows Server versions from 2003 to 2019 and non-Microsoft DNS Servers are not affected. It exists due to how Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled.
The researchers stated that by sending a DNS response with a SIG record over 64KB can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.
But if triggered by a malicious DNS query, a heap-based buffer overflow is triggered allowing the attackers to attain complete control of the server and making it possible for them to intercept and manipulate users’ emails and network traffic, make services unavailable, collect users’ credentials and much more.
When compromised, an attacker also gets Domain Administrator rights. In certain cases, the vulnerability can be triggered remotely through browser sessions.
Check Point disclosed its findings to Microsoft on May 19 which upon verification by the tech giant has now fixed it as part of its Patch Tuesday.
Any evidence of this vulnerability being exploited is not found even though the issue was hidden in Microsoft’s code for 17 years.
All the organizations are recommended to patch their Windows Server as early as possible.
For a temporary workaround, Check Point recommends setting the maximum length of a DNS message over TCP to 0xFF00.
Image Credits : Check Point