SIGRed: Microsoft releases patch for critical, wormable vulnerability in Windows DNS Server
As part of this month's Patch Tuesday, Microsoft has issued a fix for a 17-year-old Windows DNS Server vulnerability. Known as SIGRed and tracked as CVE-2020-1350, the flaw is a serious one that has been assigned a CVSS base score of 10.0.
The vulnerability affects all version of Windows Server and is a wormable remote code execution flaw that requires no user interaction. In addition to issuing a critical patch, Microsoft has also provided details of a workaround for anyone who is unable to deploy the fix immediately
See also:
- How to uninstall Microsoft Edge from Windows
- How to enable the new Start menu in Windows 10
- Microsoft is dropping an important feature from OneDrive
The vulnerability was discovered by security researchers from Check Point Research, and while hackers are not yet thought to have used the flaw to launch attacks, Check Point says "we believe that the likelihood of this vulnerability being exploited is high".
The team says:
We internally found all of the primitives required to exploit this bug. Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it. Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.
We strongly recommend users to patch their affected Windows DNS Servers in order to prevent the exploitation of this vulnerability.
The research team demonstrates the remote code execution attack in a video:
Writing in the Microsoft Security Response Center, Microsoft's Mechele Gruhn says:
Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a 'wormable' vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected.
Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.
Anyone who has automatic update enabled will be delivered the fix, but Microsoft is aware that not all systems can be updated straight away. For sysadmins in this position, the company provides details of a registry-based workaround.
To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
TcpReceivePacketSize
Value = 0xFF00
Note You must restart the DNS Service for the registry change to take effect.
- The Default (also max) Value = 0xFFFF
- The Recommended Value = 0xFF00 (255 bytes less than the max)
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
Microsoft points out that this workaround is not without potential problems:
TCP-based DNS response packets that exceed the recommended value will be dropped without error, so it is possible that some queries may not be answered. This could result in an unanticipated failure. A DNS server will only be negatively impacted by this workaround if it receives valid TCP responses that are greater than allowed in the previous mitigation (over 65,280 bytes).
Image credit: Sundry Photography / Shutterstock