Exploitation Would Grant Attacker Domain Administrator Rights That Could Compromise Entire Corporate Infrastructure
Microsoft addressed a total of 123 vulnerabilities with its July 2020 Patch Tuesday updates, including a critical remote code execution bug that has affected Windows DNS (Domain Name System) servers for the past 17 years.
Tracked as CVE-2020-1350 and featuring a CVSS score of 10 (out of 10), the issue is triggered when the DNS server fails to properly handle requests, thus allowing a remote, unauthenticated attacker to run arbitrary code with SYSTEM privileges.
Discovered by researchers at Check Point, the security flaw affects systems running Windows Server 2003, 2008, 2012, 2016, 2019, and Windows Server version 1903 and is wormable, meaning that malware can abuse it to spread to vulnerable systems without user interaction. Thus, it could be abused to effectively compromise an entire corporate network.
Only the Windows DNS server implementation is affected, but not the Windows DNS client, Microsoft notes, adding that an attacker can trigger the bug by sending malicious requests to the Windows DNS servers.
The attack, however, requires very large DNS packets, and Microsoft notes that editing the registry to limit the size of TCP packets processed by the server is a viable workaround for the vulnerability. However, the workaround should be removed after applying the available patches.
Check Point explains that the vulnerability, which they named “SIGRed,” is an “Integer Overflow leading to Heap-Based Buffer Overflow” that can be triggered by sending a DNS response with a large SIG record.
In addition to being exploitable by an attacker already present on the LAN network, the issue can also be abused through HTTP POST requests from the web browser, though only a small number of browsers would allow HTTP requests to port 53 (such as Internet Explorer and the non-Chromium Microsoft Edge).
“We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug. Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it,” Check Point’s security researchers note.
Due to the severity of the issue and the potential of full network compromise, organizations are advised to apply either the released patches or the suggested workaround as soon as possible, to ensure they remain protected.
“As of now, we are not aware of any publicly available exploits or instances of adversaries leveraging exploits for this vulnerability in the wild,” Katie Nickels, Red Canary Director of Intelligence, revealed in an emailed comment.
“That said, critical-severity vulnerabilities in ubiquitous and privileged software that can be exploited in a worm-like fashion are reminiscent of the server message block (SMB) vulnerabilities that enabled destructive attacks like WannaCry and NotPetya in 2017. Of course, it’s possible that nothing will come of CVE-2020-1350 in the way of real-world exploitation, but the potential damages that can arise from a bug like this warrant a proactive and thorough response—even if it ends up being an overreaction,” Nickels continued.
SIGRed is not the only vulnerability with a CVSS score of 10 patched this week. SAP’s July 2020 set of security fixes addresses CVE-2020-6287, referred to as RECON, a critical remote code execution bug leading to complete system takeover.