[German]ACROS Security has released a micropatch for the SIGRed critical and worm exploitable vulnerability (CVE-2020-1350) for Windows Server 2008 R2 that is not protected via Microsoft’s ESU license. This vulnerability allows remote code execution in Windows Domain Name System servers.
The critical vulnerability CVE-2020-1350
CVE-2020-1350 is a critical vulnerability discovered by security researchers at Check Point Software Technologies. The vulnerability, called SIGRed, has remained undiscovered for 17 years and has a CVSS baseline of 10.0. The vulnerability resides in the Windows DNS server and allows attackers to remotely execute code in Windows Domain Name System servers.
The vulnerability is based on the bug that DNS requests are not processed properly. As a result, malicious DNS requests that are too long can be used for remote attacks. Because the service in question is running with elevated privileges (SYSTEM), an attacker, if successfully exploited, will be granted the rights of a domain administrator. This effectively puts the entire corporate infrastructure at risk.
The vulnerability is wormable and known as “Windows DNS Server Remote Code Execution Vulnerability”. The vulnerability in the Windows DNS server affects Windows Server versions 2003 through 2019, and Microsoft has made fixing the SIGRed vulnerability a top priority. Microsoft has issued this short note about the vulnerability and provides details in the article about CVE-2020-1350. This article lists the critical updates for Windows Server 2008 SP2 up to Windows Server Version 2004 (Server Core installation). The bug will be fixed with the regular updates for Windows on patchday July 14, 2020.
I had reported in the blog post Critical update for SigRed Bug in Windows DNS Server. In addition, the US CISA warns CISA of the vulnerability and requests US authorities to close it within 24 hours (see CISA warns admins: Patch the SIGRed Windows DNS Server vulnerability).
However, Windows Server 2008 R2 systems that do not have an ESU license will not receive the update from Microsoft. However, Microsoft has made the purchase of such an ESU license quite complex and only grant it to volume license customers. Here ACROS Security steps in with its 0patch-Micropatch.
0patch-Fix for Windows Server 2008 R2
ACROS Security has developed a micropatch for the vulnerability CVE-2020-1350. Mitja Kolsek from ACROS Security informed me privately that the micropatch for Windows Server 2008 R2 has been released. There is now also a message on Twitter.
The first micropatch instance is aimed at Windows Server 2008 R2 without Extended Security Updates, for which Microsoft’s official fix is not available. Please email email@example.com for porting the micropatch to any supported or unsupported Windows Server version.
— 0patch (@0patch) July 17, 2020
In this blog post Mitja Kolsek describes some details. For example, he states that some 0patch customers still have systems running Windows Server 2008 (and R2) but have not purchased an ESU license. These customers protect their systems with the 0patch micropatches.
The first version of the 0patch micropatch addresses Windows Server 2008 R2 without an extended ESU license, which no longer receive security updates. The creators are next planning to port to Windows Server 2003 for users who for various reasons are still using this unsupported server.
The ACROS Security Micropatch for the CVE-2020-1350 vulnerability not only detects an integer overflow at the affected code points. The micropatch also logs such an exploit attempt, so administrators know that their server was affected by an exploit.
— 0patch (@0patch) July 17, 2020
The above tweet contains a video showing the opatch Micropatch in action. Customers of AGROS Security who have installed the 0patch Agent with PRO license on their Windows Server 2008 R2 computer should already have received the micropatch. The 0patch Agent has downloaded it and applied it to the DNS server.
Those who do not have a PRO license for Windows Server 2008 R2 can create an account in 0patch Central and then purchase a PRO license or request a trial version at firstname.lastname@example.org. Then install 0patch Agent and register with the created account. Then 0patch Agent will pull the micropatches assigned to the account and apply them. Note that it is not necessary to restart the computer to install the agent or apply/remove an 0patch micropatch. For information on how the 0patch agent works, which loads the micropatches into memory at runtime of an application, please refer to my blog posts (e.g. here) I have linked below. .
Obwohl es kostenlose offizielle Updates für alle unterstützten Windows-Server gibt, kann es sein, dass Admins diese nicht sofort anwenden oder den Computer nicht neu starten können; für solche Fälle können Anfragen zur Portierung unseres Micropatch auf bestimmte Versionen von dns.exe, die auf betroffenen Computern laufen, an email@example.com gesendet werden.
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Critical update for SigRed Bug in Windows DNS Server
CISA warns admins: Patch the SIGRed Windows DNS Server vulnerability