Two researchers at Check Point Research recently discovered a critical vulnerability in the Windows DNS server (CVE-2020-1350), also known as ‘SigRed.’ Microsoft has acknowledged this vulnerability and defined it as a wormable critical vulnerability (CVSS score 10.0). If exploited successfully, an attacker would be granted Domain Administrator rights.
Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and advised users to install patches immediately.
“Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” Microsoft said.
SigRed takes advantage of the parsing of incoming DNS queries or the handling of forwarded queries. An attacker would set up a malicious nameserver, where domains and subdomains would be forwarded to. The exploit would then be able to trigger an integer overflow flaw that would send a response greater than 64KB. The attacker also needs to take advantage of DNS name compression with the buffer overflow to increase the size by a significant amount.
More information will be provided in the coming days by the Check Point Research team on the specifics of the vulnerability.
Microsoft Windows Server versions 2003 and above are affected by this exploit.
Even if a DNS Server isn’t directly connected to the internet, the researchers state that it can be successfully compromised, even through browsers.
SigRed can be triggered remotely via a browser in limited scenarios (e.g., Internet Explorer and non-Chromium based Microsoft Edge browsers), allowing an attacker to abuse Windows DNS servers’ support for connection reuse and query pipelining features to “smuggle” a DNS query inside an HTTP request payload to a target DNS server upon visiting a website under their control (TheHackerNews).
A patch will shortly be released shortly by Microsoft, but in the meantime, a work around is provided that shortens the length of the allowed DNS packet size.
Workaround:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS