SIGRed: Worm mutable DNS vulnerability endangers Windows servers

SIGRed: Worm mutable DNS vulnerability endangers Windows servers Cybersecurity

The SIGRed vulnerability can spread malware over a network without user interaction. A patch released by Microsoft is urgently needed.

Remote code execution vulnerabilities affecting core network components of operating systems are rare these days. But when they do occur, the entire IT industry goes on alert because they are among the most dangerous that can lead to mass exploitation of IT systems worldwide. Microsoft released a patch on Tuesday to close the loophole that affects the Windows Domain Name System (DNS) server and urged organizations to deploy the patch as soon as possible.

Identified as CVE-2020-1350, this flaw was discovered by researchers at Check Point Software Technologies who nicknamed it SIGRed, a pun for the name of the vulnerable function that handles DNS SIG queries. This critical vulnerability has received the maximum CVSS severity score of 10 and according to Microsoft, it is mutable in worms. “Mutable worm vulnerabilities have the potential to spread via malware between compromised computers without user interaction,” the Microsoft security team warned in a blog post. “Windows DNS Server is a core network component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to resolve it as quickly as possible. ”

Very broad targeting

It should be noted that this flaw does not affect the Windows DNS client component used to query the DNS servers, but the server component that responds to DNS queries. All versions of Windows Server since 2008 are thus affected by this flaw, in any case those which are configured to run these systems as DNS servers, which is usually the case with a default setting of Windows domain controllers, as close as possible to the Windows core network component. An attacker who successfully exploits the SIGRed vulnerability can therefore execute arbitrary code in the context of the LocalSystem account, which gives him full control over the affected system. If these systems are domain controllers, the whole network can then be compromised.

The SIGred flaw comes from an error in the function that analyzes the DNS responses for SIG type queries, resulting in a buffer overflow. The DNS protocol is used to translate domain names into IP addresses, which is known as an A record. However, the protocol also supports other types of records, such as MX which defines the designated server to manage e -mails or NS which defines the authoritative DNS servers as a domain. GIS is a type of registration used to provide a signature associated with the domain for certain functionalities. In addition to responding to client requests, DNS servers also act as clients themselves, because if they don’t have a local caching response to a request, they are requesting servers higher up the chain. of authority. DNS is a hierarchical system with 13 root DNS servers at the top serving all of the Internet.

The exploit of vulnerability detailed by Check Point

To exploit this vulnerability, Check Point researchers needed a way to force the targeted DNS server to forward a request received from a client to a DNS server they controlled in order to respond to the local server with a malformed packet who would exploit the vulnerability. They did this by first forcing the target server to cache an NS record for a domain they controlled, and then sending another request for a subdomain in that domain. This caused the local server to forward the subdomain request to the DNS server specified in the NS record for the domain which is considered to be authoritative. Checking this authoritative DNS server, the Check Point researchers were able to respond with an exploit.

Getting this exploit to work required extra effort, as the researchers also had to find a way to send larger responses than the DNS standard normally allows to trigger the overflow. Regarding attacks from outside local networks, they also needed a way to force a local computer on the same network, such as the targeted DNS server to send queries to it. It turned out that this could be done by inciting a user to visit a website specially designed in Internet Explorer or Microsoft Edge (non-Chromium version), the DNS queries having been able to be “smuggled” into the HTTP data. POST.

High probability of exploitation

A complete chain of attack could follow this pattern: the attacker accesses a system on the local network or trick a user on the local network to visit a specially designed web page with IE or Edge. The attacker then sends an NS request to the local DNS server to a domain he controls, either directly from the network or via the victim’s browser, and the local DNS server caches the NS record. Then the hacker sends another request, this time for a GIS record for a subdomain on the attacker’s domain: the local DNS server queries the authoritative DNS server specified in the cached NS record. The cybercriminal thus controls the authoritative DNS server for the domain, which allows him to return a malicious DNS response that exploits the vulnerability.

Check Point researchers have published technical details of the whole process, but with details on bypassing certain Windows memory protections, which is a necessary step to turn overflow into code execution. “We think the likelihood of exploiting this vulnerability is high, as we have found internally all the primitives necessary to exploit this bug,” the researchers said in their blog post. “Due to time constraints, we have not continued to exploit the bug (which includes chaining of all exploitation primitives), but we believe that a determined attacker can exploit it. Successful exploitation of this vulnerability has a serious impact, as you can often find uncorrected Windows domain environments, especially domain controllers. In addition, some ISPs may even have configured their public DNS servers as WinDNS. “

A manual workaround

As Microsoft said, it is more than advisable for organizations to install their security patch as soon as possible. If they cannot update their systems immediately, a workaround is to apply a manual registry workaround by entering the following instructions at the command prompt:

HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services DNS Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00

The DNS service must be restarted after this modification of the registry for it to take effect.


Rate article