On 15 July 2020, the National Cyber Security Centre SK-CERT (hereinafter referred to as “SK-CERT”) issued a security warning V20200715-01 about critical vulnerabilities in Microsoft products.
The most serious vulnerability, known as “SIGRed”, can completely compromise a computer. Even worse is the fact that a vulnerable Windows DNS Server application is both a core component and an essential requirement of the Windows Domain environment. It is contained in all products of Microsoft Windows Server versions 2003 to 2019. A vulnerability can be abused by a remote attacker even if the DNS service is available only from the internal network. The vulnerability was assigned the number CVE-2020-1350 and the highest possible CVSS base score of 10.0.
Checkpoint company issued a comprehensive analysis of the vulnerability which was used for this warning. The complete analysis is available here.
SK-CERT issues an additional warning concerning the mentioned vulnerability because it is assumed that the vulnerability will be abused by attackers in the Slovak cyberspace too.
What is a Windows DNS Server?
The Windows DNS Server is an implementation of the DNS protocol in the Microsoft environment. It allows devices and users on the network to translate devices’ addresses to IP addresses.
DNS operates over UDP / TCP port 53, where a single DNS message (request or response) is according to a standard limited to 512 bytes in UDP and 65,535 bytes in TCP. Since DNS is hierarchically organized and decentralized, the DNS Server does not know the answer to a query it receives, and the query is forwarded to a DNS Server above in the hierarchy. At the top of this hierarchy, there are 13 root DNS Servers.
In Windows, the DNS Client and DNS Server are implemented in two different modules. The DNS Client (dnsapi.dll) is responsible for DNS name resolving and the DNS Server (dns.exe) is responsible for answering DNS queries on Windows Server, in which the DNS role is installed. The vulnerability only occurs in the DNS Server component.
A SIGRed vulnerability has been present in Windows products for 17 years, and was discovered by external security analysts.
How a SIGRed vulnerability works
There are two scenarios of how the vulnerability can be abused:
- when processing a specially formulated request for translation
- when processing a response to a forwarded request.
The vulnerability, when processing a request, can be trivially abused if the Microsoft DNS Server is accessible from the public Internet.
The vulnerability, when processing a response, can be abused even if the Microsoft DNS Server is accessible only from the LAN network. For example, it is sufficient that the attacker sets up his own DNS Server, which provides specially prepared responses. Afterwards, he “forces” the victim to communicate with this DNS Server, whereas the attacker’s DNS will respond with malicious responses. In many cases, a computer or mobile device performs translating of addresses automatically, without confirmation from the user. For example:
- links in websites
- links in e-mails
- links and domain names, processed and displayed in a variety of applications
The principle of the vulnerability is that a malicious query (or a response to a forwarded query) causes a buffer overflow; it means that a request larger than the limit for a single packet (512 bytes; if the server supports EDNS0 then 4096 bytes) is received on the Windows DNS Server. Thus, a buffer overflow can cause the execution of a malicious code, which can serve for different purposes, from compromising the specific data to escalating the privileges and taking control of the system.
As Windows devices are widely used not only in the Slovak cyberspace, but also globally, SK-CERT recommends without hesitation to:
- Apply all security updates released by Microsoft company, especially those that fix the SIGRed vulnerability. Security updates for the Windows Server environment are available from version 2003 here.
- Modify the registers and restart the DNS subsequently in order to prevent the abuse of DNS Server vulnerability:
DWORD = TcpReceivePacketSize
Value = 0xFF00
- Since this is a vulnerability that can have a great impact on critical services in the organization, SK-CERT also recommends to:
- retrain employees in the field of cyber-hygiene, in particular not to open suspicious e-mails and their attachments and also to avoid clicking on suspicious links,
- monitor and evaluate suspicious activities in the network,
- change passwords into critical services and systems, as well as into systems with the same passwords, as a part of preventive measures.
- If a cybersecurity incident occurs in your organization, contact the National Cyber Security Centre SK-CERT at [email protected]
« Späť na zoznam