Microsoft patches SigRed(CVE 2020-1350), A wormable Windows DNS bug in July update

sigred-windows-vulnerability

SigRed: A 17 year wormable Windows DNS server vulnerability, CVE 2020-1350 has been patched by Microsoft in July 2020 update after researcher Sagi Tzadik notified Microsoft in May of this year

´╗┐According to researcher Sagi Tzadik from CheckPoint,

SigRed(cve 2020-1350) vulnerablity is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.

The bug has been given base severity score of 10 and relates to domain naming services in Microsoft owned windows operating systems and servers affecting versions from 2003 to 2019, if exploited successfully can damage the infrastructure of the enterprise and can run with Domain Administrator escalated privileges. Being wormable which means that it has self-propogating ability and able to run using domain admin privileges the bug may cause damage to the network of the company and devices connect to it. The research team says the bug existed because of the way DNS in windows handled, parsed and forwarded the DNS queries. 

In summary of checkpoint

by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer

CheckPoint reported the bug to 19 May,2020 to Microsoft, and CVE 2020-1350 vulnerability was assigned on 18 June 2020. Microsoft acknowledged this issue as a wormable, critical vulnerability with a CVSS score of 10.0 on 9 July and was patched on 14 July, 2020. The vulnerability was hidden for 17 years and is also wormable so there is very little scope to say that the vulnerability hasn’t been exploited. Check Point team says

” We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug. Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it. Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers

CheckPoint and Microsoft recommends system Administrators to patch ´╗┐their systems with July update so that their infrastructure would be secure.

You can refer CheckPoint and ZDNet articles

Leave a Reply

Your email address will not be published. Required fields are marked *