SIGRed: Worm-proof vulnerability discovered in Windows Server

The vulnerability discovered by Check Point is in the DNS service. It is said to have existed for 17 years and affect all server versions. Microsoft has already released a patch.

Check Point has discovered a 17 year old ‘wormable’ vulnerability in Windows Server. The gap led with CVE-2020-1350 points out loud Microsoft the maximum possible severity from 10 to. The patch KB4569509 released yesterday fixes the vulnerability. Administrators should install the update as soon as possible.

The error discovered by check-point researcher Sagi Tzaik relates to Microsoft Windows DNS, the Domain Name System Service in Windows operating systems. According to Check Point, the vulnerability labeled “SIGRed” is particularly dangerous because malicious code can spread quickly and affect other computers. This could shut down an organization’s entire network.

By exploiting the vulnerability, “a hacker can send malicious DNS queries to Windows DNS servers and achieve arbitrary code execution that could affect the entire infrastructure,” says Tzaik in a blog post.

The weakness exists due to the way Windows DNS server parses incoming DNS queries and how forwarded DNS queries are handled. In particular, sending a DNS response with a SIG entry above 64 KB can “cause a controlled heap-based buffer overflow”.

“When triggered by a malicious DNS lookup, it triggers a heap-based buffer overflow that allows the hacker to take control of the server and intercept users’ email and network traffic and manipulate, make services unavailable, acquire user credentials and much more, ”says Check Point.

Check Point discussed exploitation opportunities in the company’s technical analysis, but, at Microsoft’s request, withheld some information to give system administrators time to patch their systems.

The cyber security company announced its results on May 19. After reviewing and verifying the problem, Microsoft announced the vulnerability June 18 at CVE-2020-1350. “This problem results from a bug in Microsoft’s DNS server role implementation and affects all versions of Windows Server. Non-Microsoft DNS servers are not affected, ”says Microsoft.

“Wormable vulnerabilities have the potential to spread through malware between vulnerable computers without user interaction,” the company added. “Windows DNS Server is a central network component. Although it is not currently known that this vulnerability is being used in active attacks, it is important that customers install Windows updates as soon as possible to remedy this vulnerability. ”

While there is currently no evidence that the vulnerability has been exploited, the problem has been in Microsoft’s code for 17 years. As a result, according to Check Point, one cannot “rule out” that the vulnerability was abused during this time.

“We believe that the vulnerability has been exploited because we have found all the internal ways to take advantage of this bug,” the company added. “Due to time constraints, we have not pursued the exploitation of the bug, but we believe that a determined attacker will be able to exploit it.

If a temporary remedy is required, Check Point recommends setting the maximum length of a DNS message via TCP to 0xFF00. Microsoft has also provided a workaround guide.

Online seminar: Network security and network monitoring in the new normal

The Gigamon Visibility Platform is the catalyst for the fast and optimized provision of data traffic for security tools, network performance and application performance monitoring. Find out in this webinar how Gigamon solutions can increase the efficiency of your security architecture and save costs.

Leave a Reply

Your email address will not be published. Required fields are marked *