SigRed: A 17-year-old 'wormable' vulnerability for hijacking Microsoft Windows Server

Updated: The vulnerability, fixed in Microsoft's Patch Tuesday, has been awarded a severity rating of 10.0.
Written by Charlie Osborne, Contributing Writer

Researchers have warned organizations to patch their Microsoft Windows Server builds to protect their networks against a critical wormable vulnerability that has existed in the system's code for 17 years. 

Now resolved as part of Microsoft's Patch Tuesday security update on July 14, the bug, tracked as CVE-2020-1350, has been awarded a CVSS severity score of 10.0. 

Discovered by Check Point researcher Sagi Tzaik, the bug relates to Microsoft Windows DNS, the domain name system service on Windows operating systems, and Server software.

Dubbed "SigRed," the cybersecurity team says the vulnerability is of particular importance to the enterprise as it is wormable -- or self-propagating -- and as such, is able to jump across vulnerable machines without any user interaction, potentially compromising an entire organization's network of PCs in the process. 

See ZDNet's full July Patch Tuesday coverage here: Microsoft July 2020 Patch Tuesday fixes 123 vulnerabilities

By exploiting the flaw, "a hacker [can] craft malicious DNS queries to Windows DNS servers, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure," the team says. 

CVE-2020-1350 affects all Windows Server versions from 2003 to 2019.

The vulnerability exists due to how Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled. Specifically, sending a DNS response with a SIG record over 64KB can "cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer," the team says. 

"If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling the hacker to take control of the server and making it possible for them to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials and more," Check Point says. 

As the service runs in elevated privileges, if it is compromised, an attacker is also granted Domain Administrator rights. In limited scenarios, the vulnerability can be triggered remotely through browser sessions. 

CNET: Google targets stalkerware in updated ad policy

Check Point has discussed exploitation primitives in the firm's technical analysis, but at Microsoft's request, has withheld some information to give system administrators time to patch their systems. 

The cybersecurity firm disclosed its findings to Microsoft on May 19. Following triage and verification of the issue, the Redmond giant issued CVE-2020-1350 on June 18, and by July 9, Microsoft acknowledged the security flaw was wormable and set the bug with a high severity score.

Microsoft has issued a fix as of Patch Tuesday.

"This issue results from a flaw in Microsoft's DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected," Microsoft says. 

"Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction," the company added. "Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible."

While there is no evidence at present that the vulnerability has been exploited in the wild, the issue has been hidden in Microsoft's code for 17 years. As a result, Check Point told us, they "can't rule out" the possibility that it has been abused during this time. 

TechRepublic: Software-defined perimeters may be the solution to remote work security concerns

"We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug," the company added. "Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it."

If a temporary workaround is required, Check Point recommends setting the maximum length of a DNS message over TCP to 0xFF00. Microsoft has also provided a workaround guide

ZDNet has reached out to Microsoft with additional queries and will update when we hear back. 

Update 19.07: A micropatch has been made available by 0patch. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards