Microsoft issues patch for wormable SIGRed RCE flaw impacting Windows DNS Server
Researchers are putting it in the same risk category as BlueKeep and EternalBlue
Microsoft has released a patch for a critical wormable bug affecting Windows DNS Server, which could allow attackers to seize control of targets' entire IT infrastructure.
According to the company, this remote code execution (RCE) bug, indexed as CVE-2020-1350, affects Windows Server versions 2003 through 2019. It is wormable, meaning that an exploit for the flaw can spread automatically from one vulnerable system to another on the network without requiring any user interaction.
Because of this feature, researchers have put it in the same risk category as BlueKeep in the Remote Desktop Protocol (RDP) and EternalBlue in Server Message Block (SMB).
CVE-2020-1350 could enable attackers to intercept users' emails and network traffic, steal users' credentials, and interfere with services by exploiting Windows' Domain Name System (DNS) Server. DNS is the protocol that maps web domain names to their corresponding IP addresses, thereby enabling a connection to the correct server.
"As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure," Check Point researchers warned in an online post.
CVE-2020-1350 was discovered in May by Check Point researcher Sagi Tzadik, who named it SIGRed and reported it to Microsoft. According to Tzadik, the bug can be triggered by a malicious DNS response, which could lead to a heap-based buffer overflow.
Microsoft has assigned the vulnerability the highest possible risk score of 10 on CVSS. The bug is said to be existing in Microsoft's code for more than 17 years.
While there are no reports so far of the vulnerability being actively exploited at the moment, Check Point researchers warn that the situation might likely change in coming days.
"If I've understood the article correctly, calling it 'wormable' is actually an understatement," Vesselin Vladimirov Bontchev, a security expert stated on Twitter.
"It's suitable for flash worms a la Slammer, which infected the whole population of vulnerable computers on the Internet in something like 10 minutes flat."
Microsoft released the patch for the bug as part of its July Patch Tuesday roundup. The company is now advising Windows server customers to patch the bug as earliest as possible.
Microsoft is also offering a registry-based workaround that does not require restarting the server, but will help protect an affected Windows server.
"Because of the volatility of this vulnerability, administrators may have to implement the workaround before applying the security update in order to enable them to update their systems by using a standard deployment cadence," the company said.