On July 14th, Microsoft publicly released a statement associated with a severe vulnerability in the Windows DNS server, codenamed CVE-2020-1350. Discovered as early as May by Check Point Software, an Israeli cyber security firm, this issue has since been patched. Due to its severity and high risk factor, this security hole gained widespread attention in a short period of time.
All Windows Server versions starting from 2003 to 2019 are vulnerable to CVE-2020-1350. While it doesn't present a risk for client versions, companies that rely on Windows DNS could be met with disastrous consequences if they're hit by it. In addition, hacked servers could send out different malware variations that could damage client systems.
Some larger organizations have been known to implement Windows DNS on multiple different, high risk machines, which could give attackers a lot of entry points. Considering the fact that the exploit is fairly easy to execute, its mass spread is not completely excluded as a possibility.
What's the Issue?
CVE-2020-1350 (commonly called SigRed) is a wormable vulnerability that has been around for a whopping 17 years. When the attacker sends a malicious query, the server is forced to send a response that exceeds a specific memory limit, effectively causing a heap-based buffer overflow. This gives the attacker access to forbidden blocks of memory which can be overwritten, causing them to take control of the server through remote code execution.
Once this is achieved, the person has an insight into the whole infrastructure and can read confidential e-mails, manipulate user accounts, gather credentials etc.
Different Approaches to the Attack
Vulnerability researchers at Check Point have revealed that the issue can also be exploited via HTTP requests. More accurately, DNS queries located inside HTTP packets that are received by either Microsoft Explorer or Microsoft Edge can trigger SigRed. Fortunately, Firefox as well as Chromium based browsers aren't vulnerable to this method of execution.
Another less probable attack can happen exclusively if the DNS server has a direct Internet connection and isn't protected by a firewall. This would allow for an attack that could give attacker access to the domain controller without any interaction from the target user, says Omri Herscovici, Check Point's security research team leader. It's also highly probable that something as simple as a phishing email could trigger the attack.
Both Microsoft and Check Point determined the flaw to be critical, giving it a score of 10/10 on the CVSS scale. The particularly scary part about SigRed is that it's wormable, meaning that it can spread through vulnerable computers without any user interaction. Only requirement would be for the two servers to be connected in some way, and a piece of malware would do the rest on its own.
Microsoft's security manager reported that this particular vulnerability isn't currently used in any active attack, but that this possibility isn't excluded in the future. The company gave it a rank of 1, which stands for "exploitation more likely".
The good news is that the DNS server attacks are highly noticeable, since they use a lot of communications to be effective. Still, this doesn't take away from the severity of SigRed - these kinds of vulnerabilities are one of the rarest and most damaging. For skilled hackers with good funding, this exploit is well in their reach.
How To Fix It?
The safest course of action is to patch the servers immediately. Microsoft released an update on July 14th that modified how Windows DNS servers respond to big size requests. However, applying the patch requires a full server restart.
Since some companies can't afford to do that, Microsoft released a manual workaround guide. Before trying to do this, make sure to backup the registry since it's a pretty delicate fix:
- Open up Regedit
- Find the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
- Find the entry named "TcpReceivePacketSize" of type DWORD
- Set its value to 0xFF00
By setting the value to 0xFF00, the server will reject any TCP packet whose size exceeds 65,280 bytes. Since the exploit relies on sending massive packets, this should prevent it from working. After making the change, restart the DNS service.
Microsoft warns that this could prevent valid TCP responses from being allowed in the rare cases where they exceed the set max value. For this reason, the official patch should be applied as soon as possible.
Is this something you had to deal with? How do you handle deploying security updates to your server farm? Let me know on Twitter and get patching!