Wormable bug patch landing
Microsoft has pushed out a fix for a critical and wormable vulnerability in Windows Server 2003-2019 that businesses need to get patched urgently.
The bug was found by Tel Aviv-headquartered security firm Check Point, which has dubbed it “SigRED”. It has a maximum CVSS score of 10.0.
The 17-year-old security flaw has the CVE 2020-1350 and should be patched immediately. Check Point said successful exploitation could gives domain admin privileges and could “compromise your entire corporate infrastructure.”
The vulnerability stems from a flaw in Microsoft’s DNS server implementation and is not the result of a protocol level flaw, said Microsoft. Rapid7 found some 41,000+ Microsoft DNS servers exposed in early June. At the timestamp of the scans, all fingerprinted versions were vulnerable.
As of June 14, 20 members of the Fortune 500 were exposing over 250 (combined) vulnerable Windows DNS servers.
“CVE-2020-1350 does not require a direct connection to port 53. If you phish someone, they click on the domain, and their Windows DNS server receives a recursive query response, it is owned”, noted Jorge Orchilles, the CTO of Scythe, an attack emulation platform.
Check Point, which first reported the bug to Microsoft on May 19, has already published a detailed breakdown of the vulnerability, meaning its use by bad actors is unlikely to be far behind — although they would need to work out themselves how to chain together all of the exploitation primitives; not unlikely for a determined attacker.
Redmond added: “We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.”
Microsoft said the remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests: “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.”
Check Point notes:” Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.”
Windows Server Vulnerability: Attacker Gets DA Rights
Microsoft has also pushed out a registry modification as a workaround for this vulnerability: KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters DWORD = TcpReceivePacketSize Value = 0xFF00
The bug looks to be among the worst reported this year with potentially catastrophic impact if the exploit proves easy to replicate and patching is slow.
The Windows server vulnerability is the fourth CVSS 10 — the highest level of criticality for software bugs, denoting high impact from exploitation and comparative ease of abuse — patched in just two weeks by a major software vendor.
Chris Hass, Director of Information Security and Research, Automox, added in an emailed comment: “Microsoft has deemed the exploitation of this vulnerability as “more likely”, and considering the nature of the workaround steps Microsoft has provided if a patch cannot be applied right away, we predict that we will see this vulnerability exploited in the wild soon. The only good news is that this is not a vulnerability in the DNS protocol but limited to Microsoft’s DNS server implementation of it; however, this implementation is widespread, especially in larger organizations.
He added: “Although DNS is a critical service to any organization, and an outage for any length of time can heavily impact productivity, the alternative is leaving your organization open to attack from a wormable vulnerability that if exploited, could give way to malware as damaging as Wannacry or NotPetya. It is absolutely critical for any organization that is affected by this vulnerability to patch immediately.
“If last week wasn’t enough of a fire drill for admins to patch CVE-2020-5902, they have another on their hands this week with CVE-2020-1350.
“If an attacker successfully exploits this vulnerability, it will be an absolute nightmare to eradicate them from your network.”