Microsoft is urgently recommending that Windows server clients fix a vulnerability that allows attackers to take control of entire networks without user interaction and from there quickly spread from one computer to another.
Called the SigRed by the researchers who discovered it, the vulnerability lies in Windows DNS, a component that automatically responds to requests to translate a domain into the IP address that computers need to locate it on the Internet. By submitting maliciously crafted queries, attackers can execute code that gains domain administrator rights, and from there, take control of an entire network. The vulnerability, which does not apply to client versions of Windows, is present in server versions 2003 to 2019. SigRed is formally tracked as CVE-2020-1350. Microsoft released a fix as part of this month’s update on Tuesday.
Both Microsoft and researchers at Check Point, the security firm that discovered the vulnerability, said it is transmissible, meaning it can spread from one computer to another in a similar way to the dominoes falling. Without the need for user interaction, computer worms have the potential to spread quickly just by being connected and without requiring end users to do anything.
When the underlying vulnerability of a worm allows malicious code to run easily, exploits can be especially pernicious, as was the case with the 2016 WannaCry and NotPetya attacks that shut down networks worldwide and caused damage by billions of Dollars.
Check Point investigators said the effort required to exploit SigRed was within the means of expert hackers. While there is no evidence that the vulnerability is actively being exploited at this time, Check Point said it is likely to change, and if it does, the destructive effects would be high.
In a technical analysis, Sagi Tzadik, the company researcher who found the vulnerability in May and privately reported it to Microsoft, wrote:
We believe that the probability of this vulnerability being exploited is high, since internally we find all the primitives necessary to exploit this error. Due to time constraints, we do not continue to search for the exploitation of the error (which includes chaining all the exploitation primitives), but we believe that a determined attacker will be able to exploit it. Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows domain environments, especially domain controllers. Also, some Internet Service Providers (ISPs) may even have configured their public DNS servers as WinDNS.
In a brief review here, Microsoft analysts agreed that buffer overflow based on the underlying heap was problematic. The company also rated exploitation possibilities as “most likely.” Many external researchers agreed.
“If I understood the article correctly, calling it ‘wormable’ is really an understatement,” Vesselin Vladimirov Bontchev, a security expert working for the National Laboratory of Computer Virology in Bulgaria, wrote on Twitter. “It is suitable for Slammer flash worms, which infected the entire population of vulnerable computers on the Internet in approximately 10 minutes.”
It is suitable for Slammer flash worms, which infected the entire population of vulnerable computers on the Internet in approximately 10 minutes.
– Vess (@VessOnSecurity) July 14, 2020
Bontchev disagreed with fellow security researcher Marcus Hutchins, who said he thought attackers were more likely to exploit SigRed in an attempt to carry out crippling ransomware campaigns. In that scenario, attackers would take control of a network’s DNS server and then use it to send malware to all connected client computers. Slammer is a reference to SQL Slammer, a 2003 worm that exploited two vulnerabilities in Microsoft’s SQL Server. Within 10 minutes of being activated, SQL Slammer infected more than 75,000 machines, some of them owned by Microsoft.
Organizations using Windows DNS should carefully assess the risks and install Tuesday’s patch as soon as possible. For those who can’t patch immediately, Microsoft offered interim measures that people can take in the redaction linked above.
