A critical Remote Code Execution (RCE) vulnerability CVE-2020-1350 dubbed SIGRed has been found in Microsoft Windows Domain Name System (DNS) servers.
This vulnerability is classified as a ‘wormable’ vulnerability which means a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another even without user interaction.
It has a CVSS base score of 10, which is the highest possible risk score. The affected versions include Windows Server versions from 2003 to 2019.
This vulnerability has been in the Microsoft code for more than 17 years. This means that it’s likely that other attackers may have found and have taken advantage of the issue.
But according to Microsoft, this vulnerability is not currently known to be used in active attacks. Microsoft ranks this vulnerability as “exploitation more likely,” and urges customers to apply Windows updates to address this vulnerability as soon as possible.
This issue results from a flaw in Microsoft’s DNS server role implementation. It does not affect non-Microsoft DNS Servers. The main reason why this vulnerability exists is due to how Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled.
The flaw itself is an integer-overflow bug. It can trigger a heap-based buffer overflow attack tied to the DNS module named dns.exe, which is responsible for answering DNS queries on Windows Servers.
If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling an attacker to take control of the server. This makes it possible for an attacker to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials, etc.
As the service runs in elevated privileges, if compromised, an attacker is also granted Domain Administrator rights. In some scenarios, this vulnerability can be triggered remotely through browser sessions.
Microsoft has released a patch to update the DNS server to the latest version. If applying the update quickly is not practical, a registry-based workaround is available that does not require restarting the server.
In order to work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters Go to TcpReceivePacketSize and change the Value = 0xFF00
The Default (also max) Value = 0xFFFF
Now restarting the DNS Service will allow the change to take effect.
Originally published on the Beagle Security Blog: https://beaglesecurity.com/blog/article/sigred-microsoft-dns-server.html