[German]There has been a bug in the code of the Windows DNS server for 17 years that leads to a critical vulnerability. The worm exploitable vulnerability could be exploited to gain domain administrator privileges and compromise the entire underlying corporate infrastructure.
I already received the information from Check Point last night, but under embargo, so I am only now getting around to publishing the details. Security researchers at Check Point Software Technologies have discovered a vulnerability that had remained undiscovered for 17 years. The vulnerability, called SIGRed, is so dangerous that Microsoft has given the highest possible priority to fixing it. All Windows server operating systems since 2003 are affected. A patch is available, but must be installed manually. There is also a temporary workaround.
SIGRed Critical Vulnerability (CVE-2020-1350)
In their blog post, Check Point Software Technologies security researchers describe the SIGRed (CVE-2020-1350) remote code execution vulnerability in Windows Domain Name System servers. The vulnerability is based on the bug that requests are not processed properly. The whole thing is also known as "Windows DNS Server Remote Code Execution Vulnerability" and has been lasting in the code since 17 years.
SIGRed (CVE-2020-1350) is a wormable critical vulnerability assigned a CVSS baseline of 10.0. The vulnerability resides in the Windows DNS server, and affects Windows Server versions 2003 through 2019. The vulnerability could trigger a malicious DNS response. Because the service in question is running with elevated privileges (SYSTEM), an attacker who successfully exploits the vulnerability will be granted the rights of a domain administrator. This effectively puts the entire corporate infrastructure at risk.
By sending a DNS response that contains a large (more than 64 KB) SIG record, an attacker can cause a controlled heap-based buffer overflow of approximately 64 KB, allowing malicious code to execute. Check Point Software Technologies demonstrates this in the YouTube video above, and reveals the details in their blog post.
The Domain Name System (DNS) is the 'phone book of the Internet' and allows clients to connect to servers to access resources. It is a model that maps domain names to IP addresses to allow a connection to the correct server. If this mapping is manipulated, the whole concept gets into a security imbalance.
Microsoft provides patch and workaround
Microsoft has issued this vulnerability advisory and provides details in the CVE-2020-1350 article. It lists the critical updates for Windows Server 2008 SP2 up to Windows Server version 2004 (Server Core installation). The bug will be fixed with the regular updates for Windows on patchday July 14, 2020.
If a patch cannot be installed immediately, Microsoft provides additional information in the support article KB4569509 on how to at least mitigate the vulnerability with a workaround. The registry key for this is:
Add a 32-Bit-DWORD value TcpReceivePacketSize = 0xFF00, to mitigate the vulnerability. Here are some more values:
- The default value (also max.) = 0xFFFF
- The recommended value = 0xFF00 (255 bytes less than the maximum)
You need to restart the DNS service to force the registry change to take effect. Since it has already been requested in my German blog: TCP-based DNS response packets that exceed the recommended value will be dropped without error. This could lead to some requests not being answered and to an unforeseen failure. However, a DNS server is only negatively affected by this workaround if it receives valid TCP responses that are larger than defined in the workaround (over 65,280 bytes). Details can be found in the article here including the FAQ.
Cookies helps to fund this blog: Cookie settings