A critical Windows Server bug, into DNS Server, opens company networks to hackers, allowing them to potentially seize control of IT infrastructures. The bug, called SIGRed, found by researchers at Check Point, received a severity warning of 10/10.
Impacted are Windows Server 2003 to 2019, this means that the bug is 17 years old. Most concerning to researchers however is that the bug is wormable, meaning a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another. If exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.
By sending a DNS response that contains a large (more than 64 KB) SIG record, an attacker can cause a controlled heap-based buffer overflow of approximately 64 KB, allowing malicious code to execute.
The patch is already available to be installed but the real point is that when the administrator will install it, because the severity is high but the perception behind patching (maintenance plan in general) is poor….the culture of patching is not easy to force.
The patch must be installed now! Not next week or next month….now!
So the point is that there are millions of DNS Servers exposed to an amazing risk but is clear that some scenarios are “safe” (for example a SMB or basic infrastructure) but the idea that a guest users could compromise your Active Directory without have credentials, is not funny.
By the way, as I said, the patch is already available to be installed manually and in the next week, will be integrated into Cumulative Update. The good news is that there’s no restart, so the effort is very low.
If you need more details about CVE-2020-1350, from Microsoft, check this link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
If you want understand how the exploit works, from Check Point, check this link: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
#DBS