Security news that informs and inspires

Wormable Flaw in Windows DNS Server Can Take Over IT Networks


Pretty much anything that happens on the Internet depends on the Domain Name System, which means a problem with DNS affects practically every online communication and transaction. Case in point: A critical remote code execution flaw in the way Windows Server handles incoming DNS requests can lead to attackers gaining control of an organization’s entire IT infrastructure.

Microsoft has fixed the critical remote code execution vulnerability (CVE-2020-1350) in Windows Domain Name System Server. A potential attack involves forcing a Windows DNS Server to parse responses sent by a malicious DNS Name Server, said researchers from Check Point, who discovered and reported the flaw to Microsoft. An attacker can potentially install spyware, open a backdoor, and remotely take over the machine without any authorization.

An attacker with Domain Administrator rights over the server, can “intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials and more,” Check Point wrote.

SigRed, the name Check Point used for the vulnerability, is the result of an issue with how Microsoft’s DNS server implemented roles and not in the DNS protocol itself. The issue has been present in Windows Server for 17 years, and impacts all versions from 2003 to 2019, but doesn't affect non-Microsoft DNS servers or client versions of Windows.

The vulnerability was rated a 10 on the Common Vulnerability Scoring System, the highest possible score. Microsoft also rated the flaw’s exploitability as 1, or “exploitation more likely.” While there is currently no evidence that the vulnerability is being used in any active attacks, that may just be a matter of time. Microsoft urged organizations to prioritize applying the patch in order to close the security hole.

A “determined attacker” would be able to exploit SigRed, wrote Sagi Tzadik, the Check Point researcher who privately reported the flaw to Microsoft. “We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug.”

The fact that the vulnerability is wormable means it could replicate across vulnerable servers on the network without depending on the user to do anything to help it spread.

SigRed is the result of an integer overflow triggering a heap-based buffer overflow attack within dns.exe, which is used by Windows DNS Server to handle DNS queries. The attack relies on crafting a malicious HTTP payload and sending it to the targeted DNS server on port 53, which tricks Windows DNS Server into interpreting the payload as if it was a DNS query, Check Point said.

The flaw is exploited by sending a specially crafted, large TCP DNS request to a vulnerable server, at which point the attacker can execute arbitrary malicious code with the same privileges as the Local System account, said Dustin Childs of Trend Micro’s Zero Day Initiative. SigRed is still an issue even if the DNS servers aren't Internet-facing and handles only internal queries because the exploit could be delivered as a malicious link to users on on Internet Explorer or Microsoft Edge.

Many organizations run Windows DNS Server for internal DNS services since it is easy to set up Active Directory using Windows DNS and DHCP, making Windows DNS a core component of a Windows Domain environment. Since DNS typically resides on the domain controller, a successful exploit allows the attacker to take over the controller and gain control of the entire domain. Organizations may have multiple instances of Windows DNS Server, increasing the potential attack surface.

"As DNS security is not something many organizations monitor for, or have tight controls around, this means that a single compromised machine could be a ‘super spreader,’ enabling the attack to spread throughout an organization’s network within minutes of the first exploit," said CheckPoint.

For Windows administrators who can’t patch their Windows Servers quickly, Microsoft provided a registry-based workaround. Since the attack requires large DNS packets, the option is to edit the registry to limit the size of a DNS message over TCP to 0xFF00. It's not clear what the effects of making this change would be, however.

ZDI's John Simpson wrote on Twitter that the workaround is "effective," as the mechanism for name compression "makes it mathematically impossible to hit the integer overflow with a packet size that small."

"I do not trust the registry key workaround. Its effect is not auditable and provable. Apply the patch," wrote the security expert who posts as Swift on Security on Twitter. The biggest concern was for administrators trying to use the workaround on multiple servers in large environments.