17 year old highly critical bug in Windows DNS

11. August, 2020

As CPU manufacturers already had to suffer in 2018, previous design decisions can have fatal consequences. Recently, a faulty program part for Windows servers was detected, which had been “hidden” for a long time in the constantly evolving systems. The result is a massive security problem.

It is remarkable that for IT terms it is almost an eternal story: The origin of the code could be traced back for 17 years and has now caught up with the manufacturer Microsoft. The error detected by Check Point in the Windows Server system code receives the highest CVSS score of 10.0. [1]

Highly critical error with self-propagation capability

Both the probability of exploitation and the possible damage effects received the highest ratings. The faulty routine has existed for many years and can be exploited and spread over the network: The bug is “wormable”. The bug is resident in the DNS subsystem – the domain name system – and can therefore jump from one server to another. DNS is not only an essential part of the TCP/IP protocol and necessary for any communication, but is also required between Windows clients and server. The service therefore cannot simply be restricted or deactivated.

An infection can spread over an extensive network without any interaction and is therefore highly critical. With the patch Tuesday on July 14, an update was delivered – together with 122 other bug fixes. It is therefore important to update all systems as soon as possible. Nearly all current versions of Windows Server from 2003 to 2019 are affected. [2]

SIGRed: Error in Microsoft’s DNS system

The error relates to an outdated routine that provides DNS response handling for the Windows DNS server. The affected message type is “SIG query” and a method to verify the authenticity of DNS replies that is no longer used. If a response larger than 64kB with this type is returned to a server, arbitrary code can be executed on the system. Since the DNS service typically runs only on important components with the highest privileges, highly critical worst-case scenarios are conceivable. For the fastest response, Microsoft has published a workaround guide that provisionally limits the size of DNS responses received.[3]

Software and hardware will always be affected by errors

As security researchers found out, only the code part for Windows servers is vulnerable, but not the routines of Windows clients. This suggests that the vendor maintains two separate branches for client and server and does not exchange fixes sufficiently. The researchers withheld publication of the findings gained in May until Microsoft was able to distribute a software update in July.
SIGRed shows once again that previously unknown errors in software and hardware must always be expected. Comprehensive planning and preparation for errors is therefore an essential part of IT security management.

[1] https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

[2] https://www.zdnet.com/article/critical-sigred-vulnerability-impacts-microsoft-windows-dns-2003-2019-patch-now/

[3] https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

SIEM

What is a SIEM?

Nozomi Guardian Air
HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download