From WannaCry and NotPetya hit the Internet just over three years ago, the security industry has analyzed every new Windows bug that could be used to create a similar worm that shakes the world. Now, a potentially “problematic” vulnerability, which means an attack can spread from one machine to another without human interaction, has appeared in Microsoft’s implementation of the domain name system protocol, one of the fundamental building blocks of Internet.
As part of its batch of Patch Tuesday software updates, Microsoft today released a fix for a bug discovered by Israeli security firm Check Point, which company researchers have called SigRed. The SigRed error exploits Windows DNS, one of the most popular types of DNS software that translates domain names into IP addresses. Windows DNS runs on the DNS servers of virtually every small and medium-sized organization in the world. The bug, says Check Point, has been around in that software for 17 notable years.
Check Point and Microsoft warn that the flaw is critical, a 10 out of 10 in the Common Vulnerability Scoring System, an industry standard severity rating. The bug is not only problematic, but Windows DNS software often runs on powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive; a foothold in one would allow greater penetration into other devices within an organization.
On top of all that, says Check Point’s Vulnerability Research Chief Omri Herscovici, the Windows DNS error in some cases can be exploited without any action by the targeted user, creating a perfect and powerful attack. “It requires no interaction. And not only that, once you’re inside the domain controller running Windows DNS server, expanding your control to the rest of the network is really easy,” says Omri Herscovici. “Basically the game is over.”
The trick
Check Point found the SigRed vulnerability in the DNS part of Windows that handles certain information that is part of the key exchange used in the most secure version of DNS known as DNSSEC. That single piece of data can be maliciously created so that Windows DNS allows a hacker to overwrite pieces of memory that it should not have access to, and ultimately get the full execution of remote code on the destination server. (Check Point says Microsoft asked the company not to advertise too many details of other elements of the technique, including how it bypasses certain security features on Windows servers.)
For the remote, uninterrupted version of the attack described by Check Point’s Herscovici, the destination DNS server would have to be exposed directly to the Internet, which is rare on most networks; Administrators generally run Windows DNS on servers they keep behind a firewall. But Herscovici points out that if a hacker can access the local network by accessing corporate Wi-Fi or connecting a computer to the corporate LAN, he can activate the same DNS server takeover. And it may also be possible to exploit the vulnerability with just one link in a phishing email – trick a target into clicking on that link and their browser will initiate the same key exchange on the DNS server that gives the hacker the total control.
Check Point only showed that you could block a target DNS server with that phishing trick, not hijack it. But Jake Williams, a former National Security Agency hacker and founder of Rendition Infosec, says it’s likely that the phishing trick could be used to allow a complete takeover of the targeted DNS server in the vast majority of networks that don’t block outgoing traffic on their firewalls “With careful elaboration, you could probably target DNS servers that are behind a firewall,” says Williams.
Who is affected?
While many large organizations use the BIND DNS implementation that runs on Linux servers, smaller organizations often run Windows DNS, Williams says, so thousands of IT administrators are likely to have to rush to patch the SigRed bug. . And because the SigRed vulnerability has existed in Windows DNS since 2003, virtually all versions of the software have been vulnerable.
.
