We are hiring!
July 21, 2020
Developing a SIEM for industrial needs
July 30, 2020
On July 14, Microsoft warned about a 17-year-old bug in Windows DNS server. It was scored 10 on the Common Vulnerability Scoring System (CVSS), that is the highest possible rate. For you to understand how serious this is, the vulnerabilities used by WannaCry were rated just 8.5.
A Checkpoint researcher discovered the problem with Windows DNS service and reported it to Microsoft in May. Though there is no evidence that this bug is currently being exploited, Microsoft immediately released the patch. One can find it on its website with the code and description assigned to the bug “CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability”.
Where is the problem?
DNS (Domain Name System) acts like a phonebook of the Web. Any computer willing to connect to another one asks a DNS server for a destination IP address. There are many types of requests that a client can issue. The SIG query is one of them, asking the server for a signature that validates a Resource Record Set (RRS).
According to Microsoft, the biggest concern about the SIGRed bug is that it is “wormable”. It means it can trigger a chain reaction to spread an attack from one server to another without any direct human interaction. As a result, a piece of malware using this bug can easily infect the entire enterprise network within minutes.
CVE-2020-1350 exposes all the versions of Windows Server from 2003 to 2019. It allows an attacker who sends a special query to a Microsoft DNS server to run an arbitrary code. The technical name of this vulnerability is “Integer Overflow leading to Heap-Based Buffer Overflow”. As nobody checks the length of an integer field in the SIG query, one can set an out-of-boundary value to overwrite another memory area. Therefore, the attacker can craft a specific request and execute any code on the DNS Server with the SYSTEM user priviledge (DNS runs in elevated privileges). Learn more details about the SIGRed vulnerability analysis and the way it can be exploited here.
For sysadmins who cannot apply the recent patch, Microsoft recommends modifying the following registry key in order to protect the DNS service (the service must be restarted):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00
Alongside the patch for the SIGRed bug, Microsoft released a set of other patches in July. They address 123 vulnerabilities in their products, including 20 flagged as “critical” and 103 marked as “important”.
How to stay cyber safe?
On top of the regular vulnerability updates watch through the security events happening on the corporate network to timely recognize any suspicious activity. If it is too complicated for a company to keep SOC professionals internally, outsource SOC competence as a service.
Image by Quaid Lagan
