Security vulnerabilities that rate a “perfect” 10 under the Common Vulnerability Scoring System (CVSS) are, thankfully, few and far between. That high severity rating not only means that the vulnerability is easy to exploit but also likely to be exploited.
Microsoft has confirmed that such a critical vulnerability exists in the Windows DNS server in the July 14, “Patch Tuesday” security update. The advice for users of all versions of Windows Server is to update immediately if possible, apply a workaround if not.
SigRed, the wormable DNS vulnerability
Discovered by researchers at Check Point, the vulnerability within the Windows Domain Name System (DNS) service implementation is officially tracked as CVE-2020-1350.
DNS is, in simple terms, the phone directory of the internet, converting the plain text-based strings we all use to visit a website or send an email, into the more complex number strings that computers use.
Given the name SigRed by security researchers, a successful exploit could enable an attacker to gain full domain administrator rights over affected servers and so gain control of the network.
While other critical vulnerabilities are, sadly, all too common for Windows users, some even requiring emergency out-of-band security updates, CVE-2020-1350 is a whole different ball game. Microsoft has confirmed that SigRed is wormable, meaning it could propagate rapidly without user interaction.
Throw in the ability of SigRed to achieve arbitrary code execution, and it’s hardly surprising it has been given that perfect 10 severity rating. Maybe if I name-drop a couple of other wormable vulnerabilities, it might help put SigRed into context: WannaCry and NotPetya. Yep, that bad.
Affects all Windows Server versions
Mechele Gruhn, a principal security manager at the Microsoft Security Response Center, said that the vulnerability “affects all Windows Server versions.” Gruhn also confirmed that while there is no evidence that SigRed is being exploited as of yet in any active attack scenario, it’s “essential that customers apply Windows updates to address this vulnerability as soon as possible.” Advice that is repeated by the Cybersecurity and Infrastructure Security Agency (CISA) in a posting to the U.S. National Cyber Awareness System site.
Reinforcing just how serious a security issue this is, Check Point’s vulnerability research team leader, Omri Herscovici, said “there are only a handful of these vulnerability types ever released,” and “every organization, big or small using Microsoft infrastructure is at major security risk if left unpatched.”
Gill Langston, head security nerd at SolarWinds MSP, said that “since nearly everyone is running DNS with Active Directory, bad actors are likely to see the high target count this offers and develop exploits rather quickly.”
It’s not that unusual for old vulnerabilities to remain actively exploited long after a patch has been released, as was the case with the Windows SMBGhost issue, another perfect 10. Perhaps the most alarming aspect of SigRed, however, is that it has been in Microsoft code for at least 17 years, according to Herscovici. “If we found it,” he said, “it is not impossible to assume that someone else already found it as well.”
Patch now if possible, use this workaround if not
Herscovici joins the chorus with Microsoft and CISA in urging all users to patch now, and said it “should be a top priority for remedying,” to “stop the next cyber pandemic.” While users with automatic updates switched on will need to take no action, Microsoft’s Gruhn said that if it isn’t practical to update immediately, then a registry-based workaround to SigRed is available.
The workaround involves a registry change that restricts the size of the biggest DNS response packets inbound; however, this also means that the Windows DNS server will then be unable to resolve DNS names when the response from upstream servers is larger than 65280 bytes. This means some queries will go unanswered, and “unanticipated failures” could be experienced.
You can read the full technical deep-dive into SigRed, by Check Point researcher Sagi Tzadik who discovered it, here.