Check Point Research Report Explains 17-Year-Old ‘SigRed’ Flaw Affects Windows DNS Feature
Microsoft is urging customers to patch a “wormable” vulnerability affecting the Windows Server operating system. If exploited, this flaw could allow attackers to exploit an organization’s entire infrastructure by crafting malicious DNS inquires.
The 17-year-old vulnerability, which was recently discovered by analysts at Check Point Research, affects all versions of Windows Server produced between 2003 to 2019, according to Check Point.
Check Point is calling the vulnerability “SigRed,” and it’s tracked as CVE-2020-1350. While the flaw does not appear to have been exploited in the wild, it’s been assigned a score of 10 within the Common Vulnerability Scoring System – the highest rating for a vulnerability – which is why Microsoft is urging customers to immediately apply the patch.
“While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” according to Microsoft, which issued the fix as part of its latest Patch Tuesday update this week.
The vulnerability is considered “wormable,” meaning that after the initial attack, the malicious code can leap from device to device, causing a chain reaction. This is what happened in May 2017 with WannaCry, which had the worm-like ability to move from system to system by exploiting an SMBv1 flaw known as EternalBlue (see: Microsoft Patches Wormable SMBv3 Flaw).
“We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug,” Sagi Tzadik, a security researcher with Check Point who discovered the SigRed vulnerability, notes in a report. “Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some internet service providers may even have set up their public DNS servers as WinDNS.”
Exploiting the Flaw
The vulnerability is located within the Microsoft Windows DNS – the domain name system service used in Windows Server. If exploited, an attacker could craft malicious DNS queries to send to the Windows DNS feature and “achieve arbitrary code execution that could lead to the breach of the entire infrastructure,” Tzadik notes in the Check Point report. This could be accomplished by sending large numbers of queries that overwhelm the server, causing a crash.
Tzadik found that the vulnerability could be exploited because of the way the Windows DNS server parses a response for a forwarded query. When a Windows DNS server does not know the answer to a query is receives, it forwards the query to a DNS server above its hierarchy – one of the 13 root DNS servers hosted worldwide, the report notes.
A malicious actor could change the DNS server to which the query is sent in order to have the targeted Windows DNS Server parse responses from a malicious DNS name server instead. Through this method, the victim’s Windows DNS server would ask the malicious DNS server to process certain types of queries and then receive matching malicious responses, according to the Check Point report.
The Windows DNS server supports “Connection Reuse” and “Pipelining” features of DNS transfer over Transmission Control Protocol, or TCP. This means that an attacker exploiting the vulnerability could issue multiple queries over a single TCP session without waiting for replies, according to the Check Point report. Attackers could abuse this by sending an HTTP POST request to the target DNS server with binary data containing a DNS query that is smuggled in the POST data to be separately queried.
A malicious HTTP payload consists of three elements: HTTP request headers, padding so that the first DNS query has proper length in the POST data and a smuggled DNS query hidden within the POST data. The malicious payload would be sent to a Windows DNS server on port 53, which is primarily used by DNS to serve User Datagram Protocol requests. Sending the HTTP on port 53 would cause the Windows DNS server to interpret it as a legitimate DNS query, according to the report.
Researchers found that the exploit could be triggered from Internet Explorer and Microsoft Edge browsers.
Other browsers, such as Google Chrome and Mozilla Firefox don’t allow HTTP requests to port 53, making them immune to this type of attack, according to the report.
Why Patching Is Urgent
The Check Point team notified Microsoft of the vulnerability in May and withheld publicizing it until the software giant issued a patch.
Dustin Childs, a security analyst for Trend Micro’s Zero Day Initiative, urges Windows Server users to apply the patch as soon as possible.
“Microsoft also suggests a registry edit that limits the size of TCP packets the server will process as a workaround, but they don’t list any potential side effects of that registry change,” Childs notes in a blog post. “The attack vector requires very large DNS packets, so attacks cannot be conducted over [User Datagram Protocol]. Considering Windows DNS servers are usually also Domain Controllers, definitely get this patched as soon as you can.”