Microsoft Patches Critical, Wormable Flaw in Windows DNS Servers

July 15, 2020 - The Department of Homeland Security Cybersecurity and Infrastructure Security issued an alert, urging organization administrators to apply a Microsoft-issued patch for a critical, wormable vulnerability found in Windows DNS Servers. 

DNS is a network protocol that translates human-friendly hostnames into IP addresses and is a core component of the internet. In Windows servers, it’s an essential part and requirement for the Domain Environment. The issue resides in Microsoft’s DNS server role implementation.  

Dubbed SIGRed, the flaw can be triggered by a malicious DNS response as it runs in the elevated privileges system. Microsoft issued the patch for the CVE-2020-1350 flaw as part of Patch Tuesday, along 122 other disclosed vulnerabilities. 

The wormable flaw has been ranked at the most severe security rating of 10.  

Discovered by Check Point researcher Sagi Tzaik, the flaw is 17 years old and impacts Windows Server 2003 to 2019 versions, configured as DNS servers. A successful exploit could allow an attacker to run arbitrary code in the context of the Local System Account. 

READ MORE: COVID-19 Cyber Threats: Hackers Target DNS Routers, Remote Work

And by gaining rights as a Domain Administrator, an attacker could intercept and manipulate user emails and network traffic, change the availability of services, harvest user credentials, and a host of other malicious activities. 

Its wormable nature is most concerning, as it would allow an attacker to exploit the vulnerability to proliferate from the impacted device to other connected devices on the network. Check Point provided step-by-step details on how they were able to effectively exploit the bug. 

“If exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure,” Check Point researchers wrote. “We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug.” 

“Due to time constraints, we did not continue to pursue the exploitation of the bug... but we do believe that a determined attacker will be able to exploit it,” they added. “Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers.” 

Check Point, Microsoft, and CISA are urging all organizations to prioritize the patch. Although not it’s not been observed in active attacks, researchers noted it could be forthcoming. However, some organizations, including those in healthcare, may not be able to practically apply the patch in a timely fashion. 

In response, Microsoft provided a registry-based workaround that administrators can apply to reduce the risk posed by the flaw. Administrators will need to make a change in the registry that will restrict the size of the largest TCP-based DNS response packet allowed by the system. 

“After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes,” Microsoft researchers explained. “TCP-based DNS response packets that exceed the recommended value will be dropped without error, so it is possible that some queries may not be answered.” 

“This could result in an unanticipated failure,” they added. “A DNS server will only be negatively impacted by this workaround if it receives valid TCP responses that are greater than allowed in the previous mitigation (over 65,280 bytes). The reduced value is unlikely to affect standard deployments or recursive queries, but a non-standard use-case may be present in a given environment.” 

Administrators can determine whether the server implementation will be adversely affected by the workaround by enabling diagnostic logging and capturing a sample set representative of typical business flow. The log files can then be reviewed to identify the “presence of anomalously large TCP response packets.”

Previously, hackers launched hijacking campaigns against the DNS infrastructure to take control of DNS records and alter communications, as well as targeting DNS routers amid COVID-19, which highlights the needed patching urgency.

This is also the second critical Windows flaw alerted to by CISA in recent months. Microsoft issued a repeat warning at the end of June for administrators, urging them to patch a remote code execution flaw found in some Exchange Servers. CISA warned about a surged in these attacks, in March.