Found in the overwhelming majority of infrastructures, Windows DNS Server is also generally installed on each Active Directory Domain Controller and was recently put under the microscope by Check Point. The company’s research term discovered a critical vulnerability which has existed for 17 years. Christened SIGRed, it allows attackers to run any malicious code in the user context of the DNS Server service and access domain admin rights which is one of the most critical security incidents in most infrastructures. Microsoft itself has classified the vulnerability (CVE 2020-1350) at the highest possible risk level (CVSS Score 10.0) and as “wormable” meaning that attackers can move from one system to another.
This security vulnerability only affects the DNS Server service but not that which is used on Windows client operating systems. However, by gaining domain admin rights, the data on these clients are also at risk.
The implementation of the DNS Server service has uncovered an error in the handling of DNS enquiry answer packages: If a package is specially manipulated and larger than allowed, it leads to a classic Heap-Based Buffer Overflow that crashes the service and makes Windows run the planted code. As Windows automatically restarts a crashed DNS service several times, this error will only be detected with special monitoring, e.g. a SIEM system trained specifically for the job.
The code is run in the user context of the DNS service. As the code normally runs with enhanced privileges ("LOCAL SYSTEM"), if successfully exploited, attackers obtain domain administrator rights, putting the entire corporate infrastructure at risk.
In order to actively exploit the vulnerability however, attackers have to delve deep into their box of tricks and fulfil a number of conditions:
Point one is the initial attack vector. Either the user stumbles across a drive-by-download or it has to be activated by clicking on a link, which is much more common. The malicious link can be embedded into a website or sent by e-mail to the user. Of course, there is no need to click on a link to trigger a name resolution. There are simpler methods for this. Having said that, a normal name resolution is served by a DNS Server via the UDP protocol and not via TCP, which is necessary for the attack. Attackers can use several tricks to either move the DNS Server to TCP or to get the browser to initiate the DNS query. The latter is no longer possible with browsers such as Chrome and Firefox, but with Internet Explorer which is widely used in companies.
First security rule: Patch!
Second security rule: Patch!
Third security rule: Patch!
The Windows DNS Server service is installed as standard with every Active Directory Domain Controller. Due to the central name resolution feature, it cannot simply be switched off as a precaution, but must be secured during operation.
In consultation with Microsoft, Check Point did not publish information about the vulnerability as soon as it was discovered, but waited some time to enable Microsoft to develop a patch, which was deployed on 14 July 2020. The patch is available for all Windows Server versions from 2008 SP2 up to the current Windows Server 2019. The patch is, however, no longer available for Windows Server 2003.
Due to the high potential for damage, we recommend the patch be immediately installed.
If this is not possible, Microsoft has published a workaround that reduces the maximum allowed size of TCP-based DNS answer packages. The following commands set the necessary registry inputs and restarts the DNS service:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f
net stop DNS && net start DNS
Alternatively, an intrusion prevention system can be used to stop the attack directly at its source for which Check Point has published a suitable pattern in its IPS Blade with other manufacturers to follow suit.
It has been repeatedly shown that highly critical security vulnerabilities continue to be uncovered despite the best efforts of the IT industry. There are often gaps in older codes that lie undetected for long periods. Thankfully, until now an attack has not been detected that exploits the vulnerability, so it is imperative to follow the three rules mentioned above. Get in touch with your Bechtle account manager today if you have any questions.