On July 14, Microsoft warned about a 17-year-old bug in Windows DNS server. It was scored 10 on the Common Vulnerability Scoring System (CVSS), that is the highest possible rate. For you to understand how serious this is, the vulnerabilities used by WannaCry were rated just 8.5.
A Checkpoint researcher discovered the problem with Windows DNS service and reported it to Microsoft in May. Though there is no evidence that this bug is currently being exploited, Microsoft immediately released the patch. One can find it on its website with the code and description assigned to the bug “CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability”.
DNS (Domain Name System) acts like a phonebook of the Web. Any computer willing to connect to another one asks a DNS server for a destination IP address. There are many types of requests that a client can issue. The SIG query is one of them, asking the server for a signature that validates a Resource Record Set (RRS).
According to Microsoft, the biggest concern about the SIGRed bug is that it is “wormable”. It means it can trigger a chain reaction to spread an attack from one server to another without any direct human interaction. As a result, a piece of malware using this bug can easily infect the entire enterprise network within minutes.
CVE-2020-1350 exposes all the versions of Windows Server from 2003 to 2019. It allows an attacker who sends a special query to a Microsoft DNS server to run an arbitrary code. The technical name of this vulnerability is “Integer Overflow leading to Heap-Based Buffer Overflow”. As nobody checks the length of an integer field in the SIG query, one can set an out-of-boundary value to overwrite another memory area. Therefore, the attacker can craft a specific request and execute any code on the DNS Server with the SYSTEM user priviledge (DNS runs in elevated privileges). Learn more details about the SIGRed vulnerability analysis and the way it can be exploited here.
For sysadmins who cannot apply the recent patch, Microsoft recommends modifying the following registry key in order to protect the DNS service (the service must be restarted):
DWORD = TcpReceivePacketSize
Value = 0xFF00
Alongside the patch for the SIGRed bug, Microsoft released a set of other patches in July. They address 123 vulnerabilities in their products, including 20 flagged as “critical” and 103 marked as “important”.
On top of the regular vulnerability updates watch through the security events happening on the corporate network to timely recognize any suspicious activity. If it is too complicated for a company to keep SOC professionals internally, outsource SOC competence as a service.
Image by Quaid Lagan
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.