Connect with us

Hi, what are you looking for?



Critical, Wormable Bug in Windows DNS Servers Could Allow Full Infrastructure Compromise

Exploitation Would Grant Attacker Domain Administrator Rights That Could Compromise Entire Corporate Infrastructure

Exploitation Would Grant Attacker Domain Administrator Rights That Could Compromise Entire Corporate Infrastructure

Microsoft addressed a total of 123 vulnerabilities with its July 2020 Patch Tuesday updates, including a critical remote code execution bug that has affected Windows DNS (Domain Name System) servers for the past 17 years.

Tracked as CVE-2020-1350 and featuring a CVSS score of 10 (out of 10), the issue is triggered when the DNS server fails to properly handle requests, thus allowing a remote, unauthenticated attacker to run arbitrary code with SYSTEM privileges.

Discovered by researchers at Check Point, the security flaw affects systems running Windows Server 2003, 2008, 2012, 2016, 2019, and Windows Server version 1903 and is wormable, meaning that malware can abuse it to spread to vulnerable systems without user interaction. Thus, it could be abused to effectively compromise an entire corporate network.

Only the Windows DNS server implementation is affected, but not the Windows DNS client, Microsoft notes, adding that an attacker can trigger the bug by sending malicious requests to the Windows DNS servers.

The attack, however, requires very large DNS packets, and Microsoft notes that editing the registry to limit the size of TCP packets processed by the server is a viable workaround for the vulnerability. However, the workaround should be removed after applying the available patches.

Check Point explains that the vulnerability, which they named “SIGRed,” is an “Integer Overflow leading to Heap-Based Buffer Overflow” that can be triggered by sending a DNS response with a large SIG record.

Advertisement. Scroll to continue reading.

In addition to being exploitable by an attacker already present on the LAN network, the issue can also be abused through HTTP POST requests from the web browser, though only a small number of browsers would allow HTTP requests to port 53 (such as Internet Explorer and the non-Chromium Microsoft Edge).

“We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug. Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it,” Check Point’s security researchers note.

Due to the severity of the issue and the potential of full network compromise, organizations are advised to apply either the released patches or the suggested workaround as soon as possible, to ensure they remain protected.

“As of now, we are not aware of any publicly available exploits or instances of adversaries leveraging exploits for this vulnerability in the wild,” Katie Nickels, Red Canary Director of Intelligence, revealed in an emailed comment.

“That said, critical-severity vulnerabilities in ubiquitous and privileged software that can be exploited in a worm-like fashion are reminiscent of the server message block (SMB) vulnerabilities that enabled destructive attacks like WannaCry and NotPetya in 2017. Of course, it’s possible that nothing will come of CVE-2020-1350 in the way of real-world exploitation, but the potential damages that can arise from a bug like this warrant a proactive and thorough response—even if it ends up being an overreaction,” Nickels continued.

SIGRed is not the only vulnerability with a CVSS score of 10 patched this week. SAP’s July 2020 set of security fixes addresses CVE-2020-6287, referred to as RECON, a critical remote code execution bug leading to complete system takeover.

Related: Windows Codecs Library Vulnerabilities Allow Remote Code Execution

Related: ‘SMBleed’ Vulnerability Impacts Windows SMB Protocol

Related: Researchers Divulge Details on Five Windows Zero Days

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.