In May 2020, a critical vulnerability was discovered in Windows DNS Server (code name – SigRed, identifier – CVE-2020-1350).

According to the CVSSv3 (vulnerability assessment scale), she received 10 points out of 10. Such figures of this rating mean extreme simplicity in using error, operation does not require practically competence.

It is possible to use this vulnerability, including for remote automated attacks, since no pre-authentication is even required.

The vulnerability has existed for 17 years, and poses a danger to versions of Windows Server (2003-2019 vol.).

During operation, you can send specific DNS requests to Windows servers, which will allow the execution of arbitrary code and can potentially compromise the entire structure.

How the Windows DNS server handles incoming and forwarded DNS requests: a response with a SIG of more than 64 KB can allow controlled buffer overflow and specific malicious code execution, which will ultimately allow you to gain control over the server.

Since the service has “SYSTEM” privileges, if you access the management of it, you receive rights at the domain administrator level. What a domain administrator level user can do is a lot…

The most interesting thing is that, it turns out, in some cases, the vulnerability can be exploited through browsers.

Full information from the reports of technical research groups is not intentionally provided so that there is time to install security patches.

Of course, the possibility that this vulnerability has already been exploited is not excluded, but so far there is no reliable data.

Microsoft itself warns that Windows DNS Server is a key network component, and the vulnerability has the potential of a worm, that is, it can spread the baby between vulnerable devices automatically, without any user intervention.

“One single exploit can trigger a chain reaction whereby attacks will spread from one vulnerable machine to another without human intervention. This means that only one hacked machine can act as a “super distributor,” which will allow the attack to spread throughout the organization’s network just a few minutes after the first compromise, “reads the Check Point report.

Microsoft has already fixed this problem, and now it is recommended that all users install fixes as soon as possible, as analysts fear the imminent appearance of exploits for this bug.

* Microsoft and Check Point also note:

that if for some reason patching is not possible, then you should make a registry change and limit the maximum length of the DNS message by TCP on the 0xFF00 to avoid the possibility of buffer overflow.

Leave a Reply

Your email address will not be published. Required fields are marked *

GPD Host Contacts
GPD Host Social
Pay with Confidence

Copyright © 2015 - 2020 GPD Host All right reserved.